7-Eleven gas station payment app suffers data breach
Data protection specialists report that the gasoline-buying app operated by the popular 7-Eleven store chain was the target of a supposed cyberattack that led to a sensitive data breach that exposed details such as user names, phone numbers, among others.
Last Thursday, the company opted to disconnect
the app for a few hours, after one of the users notified that it was possible
to access the personal information of many other users through the app, which
has about two million downloads. The app allows you to make fuel payments in
advance, with which users try to take advantage and fill their fuel tanks at
the lowest possible price.
The user who reported the error, whose identity
was not revealed, mentioned that he discovered the leak a few days ago, while
trying to login to the app as usual. When he signed in with his own login
credentials, he found another user’s account information instead of his. When
the user logged out and logged back in, he found the data for a different user
again. After checking the veracity of the user’s report, 7-Eleven data
protection team announced emergency maintenance.
Hours later, a company spokesperson mentioned
that the app was already online again, although he added that he could not
comment on the cybersecurity incident, because the investigation is still
ongoing. “Some technical issues were detected in the mobile application
(7-Eleven Fuel). The issue has already been resolved and the services are
available to all users. We will continue to investigate the incident in
collaboration with the relevant authorities,” the spokesman concluded.
Because the incident occurred in Australia,
data protection experts mention that the company must adhere to data protection
laws in Australia. Under Australian law, companies that are victims of data
breaches must notify the Information Commissioner’s Office, as well as affected
users, when the incident involves information that may be used to the detriment
of users.
A few hours later, a representative of the
Australian Information
Commissioner’s Office confirmed to local media that the company had
already begun the process: “We can confirm that we have received a
notification about a possible data breach in 7- Eleven.” Up to this point
in 2019, this organization has received 1,160 reports on data breaches,
including 900 incidents considered high seriousness.
Other cybersecurity incidents have recently
occurred in this chain of stores. A few months ago, data protection specialists
from the International Institute of Cyber Security (IICS) reported that
7-Eleven Japan suspended its mobile payment service (which had just been
implemented) after an unauthorized third party achieved exploit a vulnerability
to charge other customers’ accounts fraudulently.
Gloss