A data breach of London-based startup Urban Massage exposed the personal records of more than 309,000 users including data on clients accused of sexual misconduct.
The service offers “wellness that comes to you” allowing users to book massage therapist to come them.
The breach was the result of the company leaving its Google-hosted ElasticSearch database online without a password and as a result, anyone who knew where the site was hosted could search, edit or delete the information it held.
The database exposed data including names, email addresses, and phone numbers as well as unique referral codes that could allow friends to get discounted treatments. The exposed documents also revealed complaints about clients who were described as “dangerous” and clients who were under police investigation for incidents including asking for “massage in genital area.”
The exposed data based was discovered by security researcher Oliver Hough who initially reported the issue to TechCrunch. The publication alerted Urban Massage who subsequently rectified the situation. It’s unknown exactly how long the database was left exposed but the publication estimates the database was exposed for at least a few weeks.
Officials also alerted the U.K.’s privacy watchdog, the Information Commissioner’s Office of the incident.
“Urban is looking into this as a matter of utmost urgency,” Chief executive Jack Tang said in a statement. “We have informed the ICO and will take all other appropriate action, including in relation to data and communications.”
A spokesperson for the ICO told the publication it “will assess the information we receive against data protection laws, before deciding whether or not to investigate.”