The “Bolt got hacked” story: what really happened?

October 01, 2019

bolt got hacked story: what really happened

You know that feeling when you encounter a big technical error and you’re scared to see how it might impact your users and your public image?

Now, imagine that everything is fine in tech-land and you’re happily relaxing at home when you’re phone turns red as social media is gradually being flooded with hack claims? If social media supposedly impacted the US presidential election by 5-10%, then we suffered 5 times as much in just one night.

Last Thursday evening, Twitter began buzzing in Nigeria with false claims that Bolt had been hacked, credit card information stolen, and how people were being charged for phantom rides. We lost a big percentage of our card payments and a large number of our customers, as a result. To make matters worse, none of these claims were true.

In this blog post, we’ll explain exactly how Bolt customers’ credit card data is handled and how the complex matrix of international payment systems caused users to think that they were being charged for phantom rides.

How is credit card data handled?

First, let’s address the hack claims. There was no hack. The truth is that Bolt doesn’t store any credit card details. Even if someone tried really, really hard, the fact is that there are literally no credit card details there to be stolen!
When a user opens the Bolt app and inserts their card details, those details get encrypted and sent directly to a PCI compliant third-party service vault. This vault is like a big safe — you know, the kind you see in western heist movies — the only difference is that this credit card vault is digital.

In the graph below, you can see the encrypted card data journey. Only the company that stores the credit card can see the card details, and they decrypting it with a secret key. In Nigeria, we use PayU for this service. This means that only PayU — and no one else — is able to access your card details.

Journey of encrypted data

What does PCI mean?

PCI might sound boring, but it’s actually very important. The credit card industry has come up with special rules and regulations in order to protect consumers’ credit card details. Only companies that fulfil the highest ‘Level 1’ criteria are allowed to store credit card data, companies that fall short of this are not.

All of Bolt’s partners that store customer data are PCI Level 1 compliant.  

But why can’t Bolt take care of this itself? Well, we’re in the process of getting PCI Level 1 approval, but even once we have permission, we’re still not going to store any customer credit card details. The main reason? Safety. If we don’t store credit card details, then they cannot be stolen. So, instead, we’ll continue to trust a dedicated third-party, with state of the art security, to manage that for us.

Double charges? Phantom rides?

Do you remember what you had for dinner two weeks ago? Probably not.

This is exactly what happened with our Nigerian customers’ rides. People who took a ride on 13th and 14th September were only charged for it almost 2 weeks later. And that’s when the tornado broke loose.

Bolt users shared screenshots of their bank statements showing money deducted from their accounts on days when they hadn’t actually used Bolt. And we don’t blame them. Who wouldn’t be upset?

A quick check from the Bolt database told us the amounts matched old rides. Still, the question remained — why weren’t the customers charged right away? Usually, payments are done the same day or the next, but never this late.

It’s a long chain with many links

When a customer takes a ride in Nigeria and pays for it with their credit card, for that payment to happen, multiple links between the customer and Bolt are made.

The (slightly simplified) process goes like this:

  1. Bolt sends the PCI compliant processor, PayU, the ride price.
  2. PayU checks their encrypted data to see which bank the customer’s card is from.
  3. PayU sends the ride price and the bank’s name to the local acquirer.
  4. Our local acquirer, Zenith bank in Nigeria, takes the long list of ride prices and bank names and filters it out so that each bank would know how much their customers have to pay.
  5. Finally, the customer’s bank gets the list and charges the customer.

Quite a ride, right?

long chain with many links

In a chain with so many links, information can easily become delayed. In this specific case, the local acquirer forgot to forward the list of payments on the 13th and 14th of September. Instead, they sent that old list across to customers’ banks almost two weeks later.

So, as you can see, even in the most well-oiled systems, human errors can occur. We’re really happy that Bolt’s Nigerian customers spotted the mistake and let us know that something was going on. Keeping our customer’s data safe is our top priority and that will always be the case.

Hopefully, this helps to explain what really happened and gives you an insight into what goes on behind the scenes after you take a ride with Bolt. Most importantly, we hope that you’ll now feel much more comfortable in re-entering your card details to the Bolt app (link for Android, link for iOS) if you removed them because of this issue. Please do so and continue using Bolt for fast, affordable rides!

If you would like to talk to our Customer Support team about any of this, please get in contact with them and they’ll be happy to assist you.


The Bolt Team

Recent posts