The popular massage-booking app Urban let a database containing more than 300,000 customer profiles lay exposed online, meaning anyone could access it without any kind of login credentials and access the names, email addresses, and phone numbers of Urban’s users, reports TechCrunch.
But the records also contained thousands of complaints from massage therapists about their clients. These complaints included allegations of sexual misconduct by clients by therapists, including clients who solicited “sexual services from [the] therapist” and those who requested “massage in genital area.” The database also marked some clients as “dangerous” based on therapist feedback.
Clients whose records were marked with allegations of sexual harassment also featured their name, address, and postcode, and phone number on their record–making them easily identifiable–and open to blackmail.
It’s unknown if anyone accessed the exposed database before the security researcher who found it reported it to TechCrunch, who notified the London-based Urban, which promptly pulled the database offline. In a statement, the company’s CEO Jack Tang said: “Urban is looking into this as a matter of utmost urgency. We have informed the ICO and will take all other appropriate action, including in relation to data and communications.”
Due to the breach, Urban could see itself hit with a massive fine–up to 4% of its global revenue–because the breach falls under the EU’s tough new General Data Protection Regulation, which went into effect earlier this year.