Urban Company – Update on Data Protection and Security

Dear Users,

Trust you are well. We at Urban Company take your data and privacy seriously. Our security and data protection team follows global best practices, and works with leading ethical hackers in the country for advise, regular diagnosis and proactive efforts to safeguard your data. In light of the recent industry events around data and privacy, we decided to do a thorough audit of our systems, and scan all external third-party platforms we work with, for any potential data breaches we might have overlooked.

During this audit, we have come across a possible data breach in early 2017, which might have compromised some of our platform data.

This breach was part of an automated, large-scale attack, termed as the “MongoDB Apocalypse”, which affected over 25,000 databases across the globe within a short period, hosted on MongoDB. MongoDB is a leading cloud based data storage platform which Urban Company, and several other technology companies, use. During these attacks, hackers had discovered and exploited vulnerabilities to delete large scale data-sets of companies stored on the platform. Data of several leading technology companies was compromised in the process. One of our “staging” databases (used for testing) also fell prey to this attack. This database was used for the purpose of internal testing only. Given the automated nature of the global event, and any potential breach being limited to our testing ecosystem, we did not worry too much about it at the time, and continued to focus on improving our security. In the hindsight, this was a lapse on our part.

However, our recent audits give us reason to believe that this data might have contained parts of our “production” (real-traffic) data as well, including emails and phone numbers of some of our users. As a result, some of the data of our users, including emails and telephone numbers, might have been leaked. Please be rest assured that NO credit/debit card or banking data, or passwords were leaked during this attack. We work with secure PCI DSS compliant payment partners who store payment card / banking specific information on their side.

Over the past one year, we have taken several steps to beef up our platform security. We have created a dedicated team of engineers and security experts, who have worked on the following efforts –

• Data Encryption – All the data in our network is protected using 256 bit encryption. Additionally, all sensitive information (like password) is stored only as hashes. The ensures that even we don’t know what the decrypted data is.
• Data Safety – All our production data is stored in a secure vault, protected by industry grade firewalls and guarded by multiple levels of security.
• Security Audits – We are constantly evaluating our safety measures through internal and external security audits to ensure that the products and services we deliver always meet appropriate security safeguards. We work with some of the leading industry experts, like Anand from Appsecure, and other global security platforms, to beef up our security.
• Constant Monitoring – We work with the best in class industry solutions to identify and automatically block any threat into our system.
• Secure Payment Related Data – From day one on Urban Company, your Credit Card, Debit Card and all Payment/Banking related information has always been secure. We have only worked with secure PCI DSS compliant payment partners who store payment card / banking specific information on their side.

Data security forms a core pillar of our company’s ethos. We work hard to make our user data safe and secure, and we treat all potential threats with utmost urgency. We had solved for securing our systems from the said nature of attack then, and we continue to invest in our data security.

We take this event with humility and in our stride to secure our user’s privacy. Please contact us at [email protected] in case you have any questions or suggestions.

Regards,
Raghav Chandra
Cofounder, Urban Company