Cybersecurity researchers have uncovered a significant data exposure concerning nearly 300,000 taxi passengers in the UK and Ireland.
Jeremiah Fowler, in collaboration with vpnMentor, found a non-password-protected database containing personal details such as names, phone numbers and email addresses. These records, belonging to Dublin-based iCabbi, a dispatch and fleet management technology provider, were left vulnerable to potential exploitation.
The exposed database contained 22,745 records and .csv documents with customers’ names, emails, phone numbers and user IDs. Among the compromised data were email addresses from various providers and private domains including: 117,231 Gmail; 65,060 Hotmail; 17,588 Yahoo; 18,099 iCloud; 12,798 Outlook; 7,484 Live; and others.
Notably, email addresses from media outlets and government agencies like the BBC, NIH, HM Treasury and Ministry of Justice were also exposed, along with university email addresses.
“The exposure of names, email addresses, phone numbers and user IDs opens a Pandora’s box of potential security issues, from identity theft to targeted phishing attacks,” said Javvad Malik, lead security awareness advocate at KnowBe4.
“The inclusion of high-profile individuals – from MPs to a senior policy advisor and an EU ambassador – elevates the risk, introducing possible avenues for more complex social engineering and espionage efforts.”
Upon further investigation, Fowler determined that the database served as a storage repository for various documents used by the application. While only certain documents were publicly accessible, the potential risk of cybercriminals exploiting this knowledge for targeted attacks remains a concern.
Fowler promptly notified iCabbi of the issue. The firm responded transparently, acknowledging the error and swiftly deleting the exposed records.
“It is refreshing to see that iCabbi has responded so well to this report,” said Adam Pilton, cyber security consultant at CyberSmart.
“Thanking the researcher, explaining what happened and advising that they will contact their customers to make them aware, and all within a day. This is what should happen, but so often we hear of researchers being ignored or cagey responses given.”
At the same time, Erfan Shadabi, a cybersecurity expert at comforte AG, emphasized that recent incidents like the one identified in iCabbi’s taxi software highlight the substantial risks stemming from vulnerabilities and misconfigurations within organizational systems.
“Organizations need to adopt a data-centric security approach, such as tokenization, to protect sensitive information effectively,” Shadabi warned. “By implementing robust data protection measures, organizations can ensure that even if technical issues arise, the integrity and confidentiality of their data remains intact.”
Read more on data protection measures: How to Comply with Ever-Changing Data Protection Regulations