STCS, a Saudi Arabian telecom company, was running a server containing hundreds of thousands of constantly updated GPS locations before Motherboard contacted the organization about the issue.
It is not clear what the GPS locations referred to, but they pointed to locations spread throughout Saudi Arabia, and were seemingly sourced from a variety of brands of GPS trackers, according to data in the exposed server. The data was not supposed to be public, judging by STCS' reaction of fixing the server exposure once aware of the issue.
"STCS: the leading telecommunications and IT provider in Saudi Arabia," STCS's website reads.
A source who did not provide their name sent Motherboard the IP address of the exposed server. It contained an instance of Kibana, a piece of software for sorting and visualizing data. The data included a rolling list of regularly updated entries, with the date and time, latitude and longitude coordinates, and the brand of the GPS tracker. The last 15 minutes of rolling data had over 140,000 entries.
Do you know about another data exposure? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Motherboard plotted a snapshot of the data onto a map and found the vast majority of the locations were inside Saudi Arabia, with a handful in China and off the coast of west Africa. Motherboard is not publishing the map because we don’t know what exactly the GPS locations relate to and thus we are unsure of how sensitive the data is.
STCS offers clients multiple different products, such as those in big data, cybersecurity, and internet of things, according to its website.
"The server was used for testing some internal services," Khalid Alotaibi, a security architect with STCS, wrote in an email after Motherboard reached out to the company. "We assure you that we fixed the issue and will make sure that it will not occur again the future."
Alotaibi did not respond to a follow-up question asking what the GPS locations referred to.
Subscribe to our cybersecurity podcast, CYBER.