Breach, Threat Management, Data Security, Incident Response, TDR

London-based Urban Massage app leaks data on 300K customers, including sexual misconduct claims

A data breach of London-based startup Urban Massage exposed the personal records of more than 309,000 users including data on clients accused of sexual misconduct.

The service offers “wellness that comes to you" allowing users to book massage therapist to come them.

The breach was the result of the company leaving its Google-hosted ElasticSearch database online without a password and as a result, anyone who knew where the site was hosted could search, edit or delete the information it held.

The database exposed data including names, email addresses, and phone numbers as well as unique referral codes that could allow friends to get discounted treatments. The exposed documents also revealed complaints about clients who were described as “dangerous” and clients who were under police investigation for incidents including asking for “massage in genital area.”

The exposed data based was discovered by security researcher Oliver Hough who initially reported the issue to TechCrunch. The publication alerted Urban Massage who subsequently rectified the situation. It’s unknown exactly how long the database was left exposed but the publication estimates the database was exposed for at least a few weeks.

Officials also alerted the U.K.’s privacy watchdog, the Information Commissioner’s Office of the incident.

“Urban is looking into this as a matter of utmost urgency,” Chief executive Jack Tang said in a statement. “We have informed the ICO and will take all other appropriate action, including in relation to data and communications.”

A spokesperson for the ICO told the publication it “will assess the information we receive against data protection laws, before deciding whether or not to investigate.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds