Global taxi software vendor exposes details of nearly 300K across UK and Ireland

Exclusive Taxi software biz iCabbi recently fixed an issue that exposed the personal information of nearly 300,000 individuals via an unprotected database.

The names, email addresses, phone numbers, and user IDs of the 287,961 affected individuals in the UK and Ireland were all exposed online. According to research shared with The Register ahead of publication, the details of individuals with senior roles in media outlets such as the BBC and various government departments such as His Majesty's Treasury, the UK Home Office, and the Ministry of Justice were included.

A number of former UK Members of Parliament (MPs), as well as one senior policy advisor and one EU ambassador, were caught up in the data exposure, it's understood.

Around 2,000 academic email addresses (those with .ac.uk domains) were also visible in the exposed data set. Jeremiah Fowler, the cybersecurity researcher who disclosed the findings to vpnMentor, said every account appeared to be unique, with no duplicates.

Such data could theoretically be used in convincing phishing scams that impersonate the taxi company, using the victim's full name and appearing legitimate by knowing other details, including their user IDs.

Dublin-based iCabbi provides software to more than 800 taxi fleets in 15 countries, including apps that comprise an entire platform. Dispatch is a system to manage fleet dispatching and BookApp is the underlying technology that allows taxi companies to provide a consumer-facing ride-hailing app experience without a bespoke application.

The company also offers software such as BookBusiness to more easily manage account-based customers, BookVoice for automated voice booking, and a suite of driver apps for things like navigation and in-car payments.

The exposed data appears to be related to the customer-facing apps powered by iCabbi's technology, given that staff details weren't included in the exposure.

Asked how Fowler was able to link the data to iCabbi, he said: "[iCabbi was] the common denominator. There were also mentions of iCabbi inside the database."

He went on to say that locating the database was "extremely easy" and the company was lucky it heard from an ethical researcher rather than a gang of cybercrminals.

"In this case, I found [the database] using the API of an IoT search engine," said Fowler. "The exposed files were indexed and I manually reviewed them. Unfortunately, it was extremely easy to find and the real danger is that many bad actors are also looking for this type of data.

"Luckily, they received a responsible disclosure notice from a security researcher and secured the database instead of a ransomware notice."

Fowler thinks the database was a content management storage repository used by the application for various documents which also included terms and conditions files alongside customer data. The exposed records were stored in the same folder as other documents that were protected, but the nature of these isn't known.

"As an ethical security researcher, I never bypass authorization credentials and only view documents that are publicly accessible to anyone with an internet connection," he said. "The potential risk of cybercriminals knowing the file paths of where documents are stored could allow a targeted brute force attack against the wider network or identifying individual misconfigured documents.

"I am not saying iCabbi's network was at imminent risk, but I am providing a hypothetical risk of exposing the file path where customer documents are collected and stored."

iCabbi didn't respond to El Reg's repeated requests for comment, but it did tell Fowler that human error was the cause of the security snafu, as is so often the case.

"Thanks again for bringing this to my attention – we have deleted the records," a company representative told the researcher. "Human error to blame here unfortunately … part of a migration of customers but we should not be using public folders. We are going to engage with customers to make them aware of this breach."

To iCabbi's credit, the company addressed the issue within a day, and according to Fowler responded to his disclosure professionally.

"I respect their honesty and disclosing how the exposure happened. To me this shows honesty and transparency," he said. "In my experience, when an organization has a data incident there is a very low likelihood that they will have another one in the next few years.

"This is because the resources are given and they invest in cyber security and vulnerability testing. According to research by Stanford University found that approximately 88 percent of all data breaches are caused by human error. Mistakes happen, it is not about naming and shaming as much as it is about awareness and customers being informed."

Whether the company has been in touch with affected customers yet, as it said it would, is unknown. Questions also remain about how long the database was exposed and whether it was ever accessed by cybercriminals. We'll update this story if iCabbi responds. ®