New Delhi, July 5, 2022 – Flexible workspace provider WeWork that exposed the personal information and selfies of thousands of people who visited its co-working facilities in the country, on Tuesday said it has fixed the bug that was part of a third-party software.
The vulnerability exposed visitors’ names, phone numbers, email addresses and selfies.
In a statement to IANS, the company said that the bug was in a third party tool integrated with their website for a testing phase, at the peak of Covid-19 pandemic to reduce the possible transmission of infection due to human interaction via “our standard guest registration process”.
“The application had a bug that allowed unintentional access to the basic visitor information, we have already transitioned out of it and have stopped using it across all our locations,” a company spokesperson said.
“Member data confidentiality is of paramount importance to us and we are always vigilant of any such cases and act on it on priority,” the spokesperson added.
The company, however, did not elaborate on how many visitors were impacted and whether it notified them about the data breach owing to the bug.
Security researcher Sandeep Hodkasia found unencrypted visitor data that got exposed owing to a bug in the check-in app on WeWork India’s website.
“I recently uncovered a security vulnerability in the WeWork app that exposed all visitors’ PII (Personally identifiable information) data,” tweeted Hodkasia, who is Co-founder of AppSecure.
PII is any information about an individual maintained by an agency that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records and any other information that is linked to an individual, such as medical, educational, financial, and employment information.
WeWork India is currently present at more than 40 locations with over 62,000 members. (Agency)