Saudi ride-hailing company exposes drivers' licenses and passports

A massive data leak affecting hundreds of thousands of Saudi citizens has hit a ride-hailing service in the Kingdom.

Cybernews researchers have identified an open AWS storage bucket belonging to the Saudi Arabian ride-hailing company Blink.

The bucket contains hundreds of thousands of scanned Saudi citizens’ personal identification documents, including passports, driving licenses, and vehicle registration numbers. In total, nearly 330,000 documents were exposed, and around 127,000 individuals were affected.

Cybernews has contacted the company but has not yet received a response.

Risk of identity theft and financial loss

The lack of authentication allowed anyone online to access the documents, posing a tremendous threat to the affected individuals.

The lack of authentication would allow anyone to access the documents, which poses a tremendous threat to the individuals whose personal information is involved.

Saudi Arabian identification numbers are similar to Social Security Numbers (SSNs) in the US. If a malicious actor misuses this exposed personal data, it could result in identity theft, fraud, and targeted cybercrimes.

Leaked documents

This could lead to financial losses, unauthorized access to personal accounts, and other severe consequences for the individuals affected. Furthermore, driver’s license numbers can be abused for stalking, unauthorized tracking, and privacy invasion.

“Such stolen identity verification documents are, ironically, could be used by ride-sharing service drivers, when they don't have a valid driver's license in the country they are operating in, or more worryingly, by criminals,” said Aras Nazarovas, a security researcher at Cybernews.

The passport photos could also be used to make forged documents, open fraudulent bank accounts in the victim’s name, or take out loans. There’s a high demand for scanned documents among cybercriminals, which are frequently sold on the dark web.

Cybernews advises Blink users affected by the data leak to contact the Saudi Arabian authorities to revoke their leaked passports and driver's licenses and obtain replacement documents.

Your passport photo is never safe

Submitting scanned documents always poses a security risk, as organizations may not implement the necessary security measures when handling and storing this data. Unfortunately, Cybernews researchers have repeatedly proved this to be the case.

For example, Cybernews researchers uncovered that a popular university admission platform in India – Leverage EDU – leaked almost 240,000 sensitive files. The company has a network of over 650 educational institutions worldwide and 80 million users.

Among the files were photos of students’ passports submitted to the company for use in the admission process to foreign universities. The data was stored in an Amazon S3 bucket without a password.