The Egyptian bus-hailing company, SWVL, revealed this week that its platform was exposed to a security breach that targeted the data of some customers. It is believed that names, email addresses and phone numbers were accessed by the attackers. SWVL stated, that as soon as the breach was discovered, the information technology team dealt with it, adding that the breached vulnerability was secured, and the site was fully secured.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
What is encouraging about this situation is Swvl’s commitment to react rapidly to the breach to determine the extent of compromised data and the level of sensitivity. They quickly triaged the response to understand the full extent of exposure. That is an appropriate response given the circumstances.
What is unclear is whether or not they will institute a more data-centric approach to their customer data to further assure that, even if a data breach occurs, nothing that is truly sensitive will ever be revealed. Data-centric measures such as encryption go a certain distance toward preventing this, but often data encryption can hinder internal data workflows and can demand maintenance overhead. We also know that data encryption methods are not always fool-proof. Tokenization of data, which replaces sensitive information with benign and meaningless representational tokens, would further ensure customers’ data privacy. Even if sensitive data is accessed or stolen, nothing meaningful or valuable could be extracted from the tokens themselves.
I’m sure that their team is investigating more proactive ways to prevent this in the future. Hopefully, data-centric security measures are part of that deliberation.