iCabbi said the data was in an AWS public file as a result of the migration of taxi company data from one app to another and stressed that its system was not hacked.
A cybersecurity researcher recently discovered an unprotected database with personal details of nearly 300,000 passengers who used the services of Dublin-based taxi dispatch service iCabbi.
Jeremiah Fowler, a researcher at vpnMentor who finds and reports data breaches and vulnerabilities, revealed in a statement yesterday (11 April) that he was able to access a non-password-protected document with personal details of the passengers based in Ireland and the UK.
These details, he said, included names, emails, phone numbers and user IDs. Email domains included high-profile media organisations such as the BBC, UK government agencies such as the UK’s HM Treasury and Ministry of Justice, and around 2,000 UK university accounts.
“Upon further research, it was identified that the records belonged to a company called iCabbi, which provides a taxi dispatch platform technology for taxi services and passengers,” Fowler said of the breach that was first discovered in January.
“I immediately sent a responsible disclosure notice of my findings, and public access was restricted the following day. It is unclear how long the data was exposed or if anyone else may have accessed the non-password-protected database. Only an internal forensic audit would identify any additional access or suspicious activity.”
Sinead Gillett, chief marketing officer of iCabbi, said that the exposed data was in an Amazon Web Services (AWS) public file as a result of the “migration of taxi company data from one app to another”.
“We deleted the data file, let the taxi companies know of the event and took additional steps to make sure there were no other potential exposures,” she said, adding that iCabbi’s system was not hacked.
“We are unaware of why vpnMentor … chose to post this article today – we were given no advanced notice of the posting. We respectfully suggest that the title of the post is misleading.”
Fowler clarified in his post that as an “ethical security researcher” he never bypasses authorisation credentials and only views documents that are “publicly accessible to anyone with an internet connection”.
“The potential risk of cybercriminals knowing the file paths of where documents are stored could allow a targeted brute force attack against the wider network or identifying individual misconfigured documents,” he wrote.
“I am not saying iCabbi’s network was at imminent risk, but I am providing a hypothetical risk of exposing the file path where customer documents are collected and stored.”
Last November, iCabbi managed to gain access to Google’s Fleet Engine to level the playing field between its taxi customers and global ride-hail giants. The company said the integration will give its customers improved system performance and new fleet analytics to manage demand and supply more effectively.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.