Exclusive Taxi software biz iCabbi recently resolved an issue that exposed the personal information of nearly 300,000 individuals through an unsecured database.
The names, email addresses, phone numbers and user IDs of 287,961 affected people in the UK and Ireland were exposed online. According to research shared with Register before publication, details of individuals in senior roles at media outlets such as the BBC and various government departments such as HM Treasury, the UK Home Office and the Ministry of Justice are included.
A number of former UK Members of Parliament (MPs), as well as a senior political adviser and an EU ambassador, are understood to have been caught up in the leak.
About 2,000 academic email addresses (those with .ac.uk domains) were also visible in the exposed data set. Jeremiah Fowler, the cybersecurity researcher who made the findings for vpnMentor, said each account appears to be unique, with no duplicates.
Such data could theoretically be used in convincing phishing scams impersonating a taxi company, using the victim’s full name and acting legitimately knowing other details, including their user IDs.
Dublin-based iCabbi provides software for more than 800 taxi fleets in 15 countries, including applications that make up the entire platform. Dispatch is a fleet dispatch management system, and BookApp is the underlying technology that enables taxi companies to provide a consumer-facing ride-hailing app experience without a custom app.
The company also offers software such as BookBusiness for easier account-based customer management, BookVoice for automated voice booking, and a suite of driver apps for things like navigation and in-car payments.
The exposed data appears to be related to customer applications powered by iCabbi’s technology, given that staff details were not included in the exposure.
Asked how Fowler was able to connect the data to iCabbi, he said: “[iCabbi was] common denominator. There were also mentions of iCabbi within the database.”
He said locating the database was “extremely easy” and the company was lucky to hear from an ethical researcher rather than a group of cybercriminals.
“In this case I found [the database] using the IoT search engine API,” Fowler said. “The exposed files were indexed and manually reviewed by me. Unfortunately, it was very easy to find and the real danger is that many bad actors are also looking for this type of data.
“Fortunately, they received a responsible disclosure notice from a security researcher and secured the database instead of a ransomware notice.”
Fowler thinks the database was a content management repository used by the application for various documents that also included terms and conditions files in addition to user data. The exposed records were stored in the same folder as other documents that were protected, but their nature is unknown.
“As an ethical security researcher, I never bypass authorization credentials and only look at documents that are publicly available to anyone with an Internet connection,” he said. “The potential risk of cybercriminals knowing the file paths where documents are stored could enable a targeted brute force attack on a wider network or the identification of individual misconfigured documents.
“I am not saying that iCabbi’s network was in immediate danger, but I am offering a hypothetical risk of revealing the file path where customer documents are collected and stored.”
iCabbi did not respond Regova repeated requests for comment, but told Fowler that human error was the cause of the security disruption, as is often the case.
“Thanks again for bringing this to my attention – we have deleted the records,” a company representative told the researcher. “Unfortunately human error can be blamed here…part of user migration, but we should not be using public folders. We will work with users to make them aware of this breach.”
To iCabbi’s credit, the company fixed the issue within a day, and according to Fowler, responded to his disclosure professionally.
“I respect their honesty and disclosure of how the exposure came about. To me, that shows honesty and transparency,” he said. “In my experience, once an organization has had a data incident, it is very unlikely that they will have another one in the next few years.
“That’s because resources are given and they’re investing in cybersecurity and vulnerability testing. According to Stanford University research, approximately 88 percent of all data breaches are caused by human error. Mistakes happen, it’s not about naming and shaming as much as it’s about customer awareness and information.”
It’s not known if the company has already contacted affected customers, as it said it would. Questions also remain about how long the database was exposed and whether it was ever accessed by cybercriminals. We will update this story if iCabbi responds. ®