Is Ola Leaking Your Data?
An Ola Cabs customer has posted a note on Facebook alleging that the company has been sending a barrage of SMS alerts, which bear the information of other users, such as their name, phone numbers, and other ride information.
The post claims that Ola has been sending hundreds of SMSes over several days now, despite the fact that she called the Ola customer service number to complain about this already.
We reached out to Ola on Saturday, and on Monday, the company confirmed that this was happening because the customer’s number was entered in the wrong database. “There has been a manual error on the entry of a driver’s device number on our system, which is deeply regretted,” the company stated, and added, “We have fixed this instance by deleting the number from our database and are putting in place a verification procedure as well to avoid such instances in the future. We value the privacy of our users and will continue to take utmost care in terms of data security on the Ola platform.”
The texts are sent from ‘VM-OLACAB’, and while the text appears garbled, when you look at it carefully, you see words like lat and lng, which likely mean latitude and longitude. Many of the numbers start with ’14’, or just slightly north of Chennai, not too far from where Midha lives.
Midha, a 25-year-old freelance content writer started getting these messages three weeks ago, and has gotten over 300 messages from Ola at all odd hours; the spam finally stopped on Sunday, after Midha took to Facebook and Twitter to complain. Aside from the lat and lng information in messages, Midha also sent us more messages she had received, which contained names, addresses, and phone numbers in plain text.
As Ola’s statement clarifies, the messages were supposed to be for drivers, possibly as a backup system so that the app will be able to receive customer location information for pickups even when the Internet connection is down. Midha’s number was mistakenly added to a database of drivers instead of customers, leading to the hundreds of messages.
That such an error is possible is worrying; in this instance, Midha hasn’t misued the information she was getting, and drawn attention to it. But someone else might not have done the same thing. It’s important to note that this is not the first time there has been an instance of a potential data leak at Ola. In June, Ola was allegedly hacked, although the company denied the charge.
A hacker group had claimed that user information and credit card data was compromised. Ola eventually responded that there was no lapse, stating:
There has been no security lapse, whatsoever to any user data. The alleged hack seems to have been performed on a staging environment when exposed for one of our test runs. The staging environment is on a completely different network compared to our production environment, and only has dummy user values exclusively used for internal testing purposes. We confirm that there has been no attempt by the hackers to reach out to us in this regard. Security and privacy of customer data is paramount to us at Ola.
However, even if this is true, it meant that while no data was exposed, at least part of Ola’s infrastructure was not designed with security in mind. This latest incident highlights the same mindset, as a phone number wrongly entered into a database without a system for verification was leaking huge amounts of personal data.
This is a sensitive time for Ola; the Delhi Government rejected Ola’s license application, though, at the time of writing, it is still possible to find a few cars running on the service in Delhi. With rival Uber investing $1 billion in India, and expanding beyond metros, Ola is facing real competition.
Perhaps as a result, it has announced that its Ola Money wallet is being integrated with new partners, such as Oyo Rooms, Lenskart, and Saavn. It’s an interesting move, as it transitions Ola towards being less of a cab company, but the greater focus on payments is also going to call for a greater focus on security and privacy, and that’s something that Ola needs to demonstrate – quickly.