Drivers' Data Exposed in 7-Eleven Fuel App Breach
An app used by drivers to cut the cost of fuel has suffered a data breach that allowed users to view the personal information of other customers.
Names, email addresses, cell phone numbers, and dates of birth were exposed following the breach of the 7-Eleven fuel app, which occurred on Thursday. The app, which has been downloaded two million times, was taken offline for several hours while 7-Eleven worked on coming up with a fix.
The company was alerted to the breach by a male customer who was able to access the personal information of several other users after logging into the app.
The customer, who wished not to be named, reported being able to see information relating to other customers, including the amount of money they had in their accounts.
According to The Guardian newspaper, the customer logged in and out several times, and was able to view the personal information of other users with each fresh login.
The 7-Eleven fuel app uses a customer’s current location and real-time fuel-price data to help drivers find the best local gas price at their five closest 7-Eleven stores. Users can search for the best price, then lock it in by paying for their gas in advance.
After being taken down on Thursday afternoon for what 7-Eleven described as "maintenance," the app was brought back online at 5:30 pm.
A 7-Eleven spokesperson said: "The 7-Eleven Fuel App experienced a technical issue. The issue has been resolved, and the 7-Eleven Fuel App is now online for all customers. We are continuing to investigate and have informed the relevant authorities."
Based in Irving, Texas, 7‑Eleven operates, franchises, and/or licenses more than 69,000 stores in 17 countries, including 11,800 in North America.
The Japanese arm of 7-Eleven had to shut down its mobile payment app in July of this year following a data breach that impacted around 900 customers and resulted in fraudulent transactions totaling more than $500,000.
An investigation was prompted following a customer inquiry on July 2 regarding unauthorized charges. The company discovered that hackers had accessed the customer's 7pay app and impersonated the authorized user to make fraudulent purchases using the bank card details stored in the app.
Commenting on the fuel app breach, Mark Noctor, VP EMEA at Arxan Technologies, said: "This breach highlights the need for companies to treat their application as the new 'real' endpoint that needs to be considered during the formation of a security strategy."
Source: Information Security Magazine