iCabbi have taken vital steps to ensure no other potential exposures after cyber security discovery
Cybersecurity expert Jeremiah Fowler reports they uncovered a vulnerable database containing personal details of nearly 300,000 UK and Ireland taxi passengers.
The exposed database, linked to Dublin-based tech firm iCabbi, was reportedly not secured with a password back in January, rendering sensitive information accessible.
iCabbi has since deleted the data file and told taxi operators of the event. The tech firm have also taken additional steps to ensure there were no other potential exposures.
Fowler, a cybersecurity researcher for vpnMentor, reported the flaw which included 22,745 records. These contained names, email addresses, phone numbers, and user IDs across a variety of domains, including major email providers and prestigious institutions. Notably, email addresses linked to BBC, NIH, HM Treasury, Ministry of Justice, and several universities and government departments were among those compromised.
The data, amassed in CSV documents, also revealed the business affiliation of the exposed individuals, heightening concerns over privacy and security. The nature of the breach suggests it could have been due to an oversight during a customer data migration process, according to iCabbi’s response to the discovery.
iCabbi specialises in taxi and private hire vehicle operator dispatch technology.
According to Fowler, the company responded promptly by securing the database and commencing an internal audit to assess the extent of the breach and any further vulnerabilities. They also acknowledged the incident, attributed to human error, and expressed their commitment to informing affected customers.
In response direct to Fowler, iCabbi stated: “Thanks again for bringing this to my attention - we have deleted the records. Human error to blame here unfortunately... part of a migration of customers but we should not be using public folders. We are going to engage with customers to make them aware of this breach.”
Fowler said: “I imply no wrongdoing by iCabbi, their partners, clients, or customers. I am also not saying the data was at risk or accessed by any other individuals.”
A iCabbi spokesperson said in response to vpnMentor’s findings: “Back in January of this year, the author of today’s post on vpnMentor made us aware of data that remained in an AWS public file, the result of the migration of taxi company data from one app to another.
“We deleted the data file, let the taxi companies know of the event, and took additional steps to make sure there were no other potential exposures.
“Our system wasn’t hacked and the author of the post, acting in his own words as an “ethical hacker,” commended us for taking such quick and professional action.
“We are unaware of why vpnMentor, a website promoting itself as “a committed and helpful tool when navigating VPNs and web privacy,” chose to post this article today – we were given no advanced notice of the posting. We respectfully suggest that the title of the post is misleading.”