Cybersecurity researchers have discovered a significant exposure of data relating to almost 300,000 taxi passengers in the UK and Ireland.
Jeremiah Fowler, working with vpnMentor, found a non-password protected database containing personal information such as names, phone numbers and email addresses. These recordings, belonging to Dublin-based iCabbi, a provider of dispatch and fleet management technology, were left vulnerable to potential exploitation.
The exposed database contained 22,745 records and .csv documents with customer names, email addresses, phone numbers, and IDs. Among the compromised data were email addresses from various providers and private domains, including: 117,231 Gmail; 65,060 Hotmails; 17,588 Yahoo; 18,099 iCloud; 12,798 Outlook; 7,484 live; and others.
Notably, the email addresses of media outlets and government agencies such as the BBC, NIH, UK Treasury and the Ministry of Justice were also exposed, as well as the email addresses of universities.
“Disclosure of names, email addresses, phone numbers and user IDs opens a Pandora’s box of potential security issues, from identity theft to targeted phishing attacks,” Javvad said Malik, lead security awareness advocate at SavoirBe4.
“The inclusion of high-profile figures – from MPs to a senior policy advisor and an EU ambassador – increases the risk, paving the way for more complex social engineering and espionage efforts. »
On further investigation, Fowler determined that the database served as a storage repository for various documents used by the application. Even if only certain documents were publicly available, the potential risk of cybercriminals exploiting this knowledge to carry out targeted attacks remains a concern.
Fowler quickly informed iCabbi of the problem. The company responded transparently, acknowledging the error and quickly removing the exposed records.
“It’s refreshing to see that iCabbi has responded so well to this report,” said Adam Pilton, cybersecurity consultant at CyberIntelligent.
“Thank the researcher, explain what happened and tell them that they will contact their clients to inform them, all within the day. This is what should happen, but so often we hear about researchers being ignored or responses being cautious.
At the same time, Erfan Shadabi, cybersecurity expert at Comfort AGhighlighted that recent incidents like the one identified in iCabbi’s taxi software highlight significant risks arising from vulnerabilities and misconfigurations within organizational systems.
“Organizations must adopt a data-centric security approach, such as tokenization, to effectively protect sensitive information,” Shadabi warned. “By implementing robust data protection measures, organizations can ensure that even if technical issues arise, the integrity and confidentiality of their data remains intact. »
Learn more about data protection measures: How to comply with evolving data protection regulations