Daytrip data leak reveals detailed travel data, VIP members


A subcontractor mistake has put the intercity travel platform Daytrip in a hot spot. An exposed database revealed hundreds of thousands of customer records and travel orders.

Daytrip, a platform with presence in 130 countries spanning all continents bar Antarctica, had over 470K user records and 762K detailed travel orders exposed, the Cybernews research team has discovered.

According to the team, the data was stored on an unsecured MongoDB database managed by Daytrip’s subcontractor. The leak revealed copious details, ranging from names and surnames to PayPal emails and pick-up/drop-off addresses.

ADVERTISEMENT

Daytrip closed the database after our research team contacted the company, claiming to have discontinued working with the vendor. It claims that safeguarding data is its top priority, which is not taken lightly.

“As part of this commitment, we regularly review our partnerships and have discontinued working with the vendor in question to ensure alignment with our high standards of security and service,” the company told Cybernews.

Daytrip sample
Daytrip data leak sample. Image by Cybernews.

What Daytrip data was leaked?

Launched in 2015, Daytrip offers door-to-door rides with private cars. Think of it as an intercity Uber, with over a million customers who have used its service.

Businesses such as Daytrip often utilize MongoDB to organize and store large amounts of information. However, Daytrip’s subcontractor is hardly the first to overlook the importance of properly configuring the database.

According to the team, the unprotected instance had numerous sensitive details, such as:

  • Names and surnames
  • PayPal emails
  • Emails
  • Phone numbers
  • Dates of birth
  • Partial payment details
  • Billing information
  • Pick-up and drop-off addresses
  • Passenger details
  • Fees
  • VIP flags
ADVERTISEMENT

The team says it’s not surprising that an online ride-hailing service stores large swaths of information, as it has become the norm in the industry. However, data security is no joke in such matters.

“The compromised database was apparently under the control of a Daytrip subcontractor, emphasizing the importance of strict vendor management and consistent security practices across all data handlers in the supply chain,” researchers said.

Gintaras Radauskas Konstancija Gasaityte profile Paulius Grinkevicius Ernestas Naprys
Don’t miss our latest stories on Google News

Why is Daytrip’s leak dangerous?

While there’s no indication malicious actors got a hold of the data, threat actors have automated tools that scour the web for unprotected instances only to immediately download them.

Meanwhile, the exposed details pose numerous risks to the individuals affected. For one, the leak carries a perfect blend of data for identity theft and financial fraud.

Attackers can craft convincing scams using names, birth dates, and payment details, with PayPal emails serving as a basis for targeted phishing attacks.

Meanwhile, leaking physical addresses and travel patterns creates real-world risks. Attackers could use pick-up and drop-off details to determine when specific individuals leave the house. Moreover, VIP flags could help crooks identify high-value targets.

The scale of the leak, with hundreds of thousands of user records and even more travel records, makes it a treasured asset in the cyber underworld, where malicious actors could repackage and sell the data.

To avoid similar incidents happening in the future, the research team advises businesses to carry out strong vendor oversight, reviewing and enforcing data protection standards for all subcontractors handling sensitive data.

ADVERTISEMENT

Additionally, users ought to be informed about the breach, so they could monitor accounts for suspicious activity. Businesses should also assess their obligations under GDPR or other data privacy laws to ensure proper reporting and remediation.

Another helpful tool is an incident response plan, which helps to adequately handle future data leaks by rapidly preparing disclosure and technical response protocols.


  • Leak discovered: October 21st, 2024
  • Disclosure sent: October 21st, 2024
  • Leak closed: October 24th, 2024