Personal records of up to 309,000 UK citizens such as names, email addresses, and phone numbers were left exposed on the Internet when a London-based massage therapy startup named Urban Massage stored their data in an online server that lacked password-protection.
Customer data records held by Urban Massage, now known as Just Urban, were stored in an unprotected ElacticSearch database and aside from names, email addresses and phone numbers, also included unique referral codes using which friends of customers could avail discounted treatments.
According to TechCrunch, the database also contained names, email addresses, and phone numbers of Urban Massage therapists, records of 351,000 bookings, and also thousands of complaints lodged by therapists about their clients. Such complaints alleged abuse of the referral system, regular cancellations, fraudulent behaviour, as well as sexual misconduct of certain clients who requested “sexual services from therapist” and “massage in genital area”.
According to security researcher Oliver Hough who discovered the ElasticSearch database using the Shodan search engine, data stored in the database could not only be accessed by anyone on the Internet but could also be modified or deleted by anyone.
Urban Massage threatened journalists with legal action
After being contacted by TechCrunch, Urban Massage removed all customer records from the said database and informed the ICO but said that the company did not “leak” any data and only a “potential security vulnerability” had been discovered by Hough.
In an email to Gizmodo, Jack Tang, CEO of Urban Massage, said that “it is not true that Urban leaked any data (we are contacting Techcrunch to amend this statement in their article). Your statement in your article would be misleading and we would reserve our rights.”
“We immediately closed the potential vulnerability and have taken all appropriate action, including by notifying users and the ICO. The researcher has now confirmed to us that he did not copy or retain any data and that he did not pass anything to anyone else other than the journalist. That was the only access we are aware of,” read a statement from Urban Massage, implying that the database was not accessed by anyone other than Hough.
Gizmodo asked Tang how he would characterize the presence of customer records in an unsecured online database, in response to which Tang said that he stood by his earlier statement and that Urban Massage “would reserve our rights to any damages as a result of any misleading information you publish”.