Alerting Iran's Computer Emergency Response Team Coordination Center (Iran CERTCC), Bob Diachenko took to Twitter on Friday to report the exposure.
“On April 18 I discovered an open and publicly available MongoDB instance which contained astonishingly sensitive information on Iranian drivers,” he wrote on SecurityDiscovery.com. MongoDB is a cross-platform document-oriented database program.
Local media extensively covered the breach. Reports were published on IRNA news agency, along with news websites like Peivast, Zoomit and Webna, according to Financial Tribune.
Leaked data included drivers’ first and last names, their national ID numbers stored in plain text, their phone numbers, and other data such as invoice information.
The exposed database was named ‘doroshke-invoice-production’ (doroshke means carriage in Persian) and had two collections with invoices split by year, Iranian fiscal years of 2016-17 and 2017-18. The first collection included 740,952 records while the number soared to 6 million in the latter. The actual number of people affected by the breach is still unknown.
After detecting the exposed data on the web, Diachenko sent an alert to the Iranian CERTCC and also initiated further investigations with help from Iranian security researchers.
He further asked people to contact Iran’s major ride-hailing companies, Snapp and TAP30 to notify them about the data leak. The data was not marked by the owner firm, therefore identifying TAP30 as the owner and notifying the firm took several hours.
“No matter who owned [the data], the fact alone that such highly sensitive personally identifiable information was available in the wild for at least 3 days, is scary,” Diachenko adds.
He later wrote on Twitter, “I can now confirm that it was an isolated incident and no other information other than drivers’ records were exposed for a limited period of time.”
Company’s Response
Few hours after the news broke out and before TAP30 claiming responsibly for the leaked data, Snapp issued a statement announcing that the exposed information was not owned by it.
Later, TAP30 reported that the data was owned by it and that the firm has secured the information.
TAP30 chief Milad Monshipour wrote on Twitter, “I personally take responsibility for what has happened. I am sorry. We’ll soon announce our future plans for curbing the possibility of such incidents.”
Many saw a simple online apology inadequate saying that the drivers’ data privacy has been breached due to the firm’s negligence and managers should be held legally accountable. However, others thanked Monshipour for his open approach.
TAP30 further tried to reassure users that no data on customers has been exposed through the leak. Tap30 offers services in 15 cities. More than 1 million drivers work for the firm.
The records were stored in a MongoDB database that apparently did not require strong authentication. Researchers previously have discovered numerous vulnerabilities in MongoDB databases, which allow users to store vast quantities of information in a single place. Diachenko previously found personal data belonging to 202 million Chinese job seekers and, later, 24 million financial records.
Mistakenly exposed databases – which generally are not necessarily malicious – continue to plague companies.