A data breach of London-based startup Urban Massage exposed the personal records of more than 309,000 users including data on clients accused of sexual misconduct.
The service offers âwellness that comes to you” allowing users to book massage therapist to come them.
The breach was the result of the company leaving its Google-hosted ElasticSearch database online without a password and as a result, anyone who knew where the site was hosted could search, edit or delete the information it held.
The database exposed data including names, email addresses, and phone numbers as well as unique referral codes that could allow friends to get discounted treatments. The exposed documents also revealed complaints about clients who were described as âdangerousâ and clients who were under police investigationÂ for incidents including asking forÂ âmassage in genital area.â
The exposed data based was discovered by security researcherÂ Oliver Hough who initially reported the issue to TechCrunch. The publication alerted Urban Massage who subsequently rectified the situation. Itâs unknown exactly how long the database was left exposed but the publication estimates the database was exposed for at least a few weeks.
Officials also alerted the U.K.âs privacy watchdog, the Information Commissionerâs Office of the incident.
âUrban is looking into this as a matter of utmost urgency,â Chief executive Jack Tang said in a statement. âWe have informed the ICO and will take all other appropriate action, including in relation to data and communications.â
A spokesperson for the ICO told the publication it âwill assess the information we receive against data protection laws, before deciding whether or not to investigate.â