Personal data of 309,000 Urban Massage staff & customers exposed via unsecured database

Personal data of 309,000 Urban Massage staff & customers exposed via unsecured database

Personal data of 309,000 Urban Massage staff & customers exposed via unsecured database

Personal records of up to 309,000 UK citizens such as names, email addresses, and phone numbers were left exposed on the Internet when a London-based massage therapy startup named Urban Massage stored their data in an online server that lacked password-protection.

Customer data records held by Urban Massage, now known as Just Urban, were stored in an unprotected ElacticSearch database and aside from names, email addresses and phone numbers, also included unique referral codes using which friends of customers could avail discounted treatments.

According to TechCrunch, the database also contained names, email addresses, and phone numbers of Urban Massage therapists, records of 351,000 bookings, and also thousands of complaints lodged by therapists about their clients. Such complaints alleged abuse of the referral system, regular cancellations, fraudulent behaviour, as well as sexual misconduct of certain clients who requested “sexual services from therapist” and “massage in genital area”.

According to security researcher Oliver Hough who discovered the ElasticSearch database using the Shodan search engine, data stored in the database could not only be accessed by anyone on the Internet but could also be modified or deleted by anyone.

Urban Massage threatened journalists with legal action

After being contacted by TechCrunch, Urban Massage removed all customer records from the said database and informed the ICO but said that the company did not "leak" any data and only a "potential security vulnerability" had been discovered by Hough.

In an email to Gizmodo, Jack Tang, CEO of Urban Massage, said that “it is not true that Urban leaked any data (we are contacting Techcrunch to amend this statement in their article). Your statement in your article would be misleading and we would reserve our rights.”

"We immediately closed the potential vulnerability and have taken all appropriate action, including by notifying users and the ICO. The researcher has now confirmed to us that he did not copy or retain any data and that he did not pass anything to anyone else other than the journalist. That was the only access we are aware of," read a statement from Urban Massage, implying that the database was not accessed by anyone other than Hough.

Gizmodo asked Tang how he would characterize the presence of customer records in an unsecured online database, in response to which Tang said that he stood by his earlier statement and that Urban Massage "would reserve our rights to any damages as a result of any misleading information you publish".


Database containing 340 million individual records exposed online by Exactis

Unprotected cloud database exposed nearly 10 million personal data records

Copyright Lyonsdown Limited 2021

Top Articles

Overcoming the security challenge in remote working environments

The pandemic has changed the way we work. Remote working is no longer a nice-to-have for organisations, but a necessity especially if they want to attract the best talent.

President Biden pens Executive Order to boost US cybersecurity

US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data.

DarkSide ransomware gang shuts shop following 'law enforcement request'

The DarkSide ransomware group has announced it is shutting shop as its servers and cryptocurrency accounts were allegedly seized "at the request of law enforcement agencies."

Related Articles