Subway Website and App Exposes Customer Personal Information

Recently, amid a series of personal information leak incidents on online platforms like Papa John's and Mustit, indications of customer data exposure were detected in the online ordering system of the sandwich franchise Subway.

According to Choi Min-hee, chairperson of the National Assembly's Science, Technology, Information and Broadcasting Committee, a vulnerability was found in Subway's website and mobile application that allows easy access to other customers' personal information without logging in.

The discovered vulnerability involves URL manipulation, where changing just a few digits at the end of the URL after accessing the order page would display another customer's contact details and order information on the screen.

According to Choi, it is estimated that personal information has been left exposed in this manner for at least five months.

In response, Subway stated, "We have discovered a technical issue that potentially exposes limited customer information through our online ordering service on the website accessed via PC," adding, "We have taken immediate action to resolve this issue, and it has now been addressed."

However, as of now, the actual exposure of customer information or its scale has not been determined.

Recurring Personal Information Leak Incidents Among Companies… Repetitive Patterns

Subway's case shows remarkably similar patterns to recent incidents of personal data leaks from various companies.

The pizza franchise Papa John's experienced a similar URL manipulation incident where not only customers’ names and contact information were exposed, but also credit card numbers and common entrance codes.

The luxury platform Mustit also faced controversy after a vulnerability that allowed member information to be accessed without verification was revealed.

Under current law, companies that poorly manage personal data can face fines of up to 50 million KRW and additional penalties that may be up to 3% of their total revenue.

Despite these penalties, calls for stronger regulations are increasing as similar incidents continue to occur.

Chairperson Choi Min-hee emphasized, "In a situation where online ordering services have become commonplace, the recurrence of such basic security vulnerabilities is a serious issue," urging the government to swiftly prepare measures such as strengthened regulations and penalties.

Meanwhile, consumers need to take self-protective measures against potential data leaks, such as regularly changing passwords, reviewing payment history, and immediately reporting any suspicious activity.

Additionally, companies should strive to prevent similar incidents by conducting regular security checks and vulnerability testing.

Image Source: Reference materials for understanding the article / Photo = Insight, Choi Min-hee's office of the Democratic Party of Korea, Choi Min-hee, Chairperson of the National Assembly's Science, Technology, Information and Broadcasting Committee / News1