A popular London-based massage startup has leaked its entire customer database — and could face steep fines due to violating GDPR (General Date Protection Regulation) rules.
Urban Massage — now known as Urban — bills itself as “wellness that comes to you.” Security researcher Oliver Hough told TechCrunch that the site’s Google-hosted ElasticSearch database was left online without a password, exposing hundreds of thousands of customer and staff records. Anyone who discovered the information could easily access, edit or delete the database.
It’s unknown how long the database was exposed, although it is believed that the issue had been going on for at least a few weeks. It’s also uncertain if anyone else had accessed or obtained data from the database before Urban pulled it offline after being notified about the leak.
“Urban is looking into this as a matter of utmost urgency. We have informed the ICO and will take all other appropriate action, including in relation to data and communications,” Chief Executive Jack Tang said in a statement.
During the time the database was exposed, there were more than 309,000 user records, including names, email addresses and phone numbers. In addition, the database held over 351,000 booking records, and more than 2,000 records on the company’s massage therapists, including their names, email addresses and phone numbers. After a preliminary review, it doesn’t appear that any financial information was exposed.
But for some, the information exposed could still cause harm. The records included thousands of complaints from workers about their clients, including complaints that included allegations of sexual misconduct by clients — such as asking for “massage in genital area” and requesting “sexual services from therapist.” Other clients were tagged as “dangerous,” while others were blocked due to “police enquiries.” The complaints included identifiable information about customers, including names, addresses and postcodes and phone numbers.
The company falls under the new GDPR rules, and as a result, could be hit with financial penalties of up to 4 percent of its global annual revenue.