Information of 287,000 taxi passengers exposed in data breach
Scammers could use details to pose as cab companies
A data breach within the Irish taxi software firm iCabbi, which potentially affected 287,000 taxi passengers in Ireland and the UK, has been described by the company as human error.
The lapse exposed names, emails and phone numbers of customers based in Ireland and the UK.
Those affected included senior BBC directors, journalists and executives, British government officials and an ambassador to an EU country.
The security researcher who discovered the data breach, VPN Mentor’s Jeremiah Fowler, said an exposed database with almost 23,000 records and documents containing the personal information was not password-protected.
Contacted by Mr Fowler about the breach, an iCabbi executive attributed the lapse to “human error” when migrating a customer database.
The executive said the company would contact customers to make them aware of the breach.
In a statement to the Irish Independent, a spokesperson for iCabbi acknowledged the breach, saying the company “took appropriate action and contacted the affected taxi companies”.
She did not say whether any of the affected individuals or companies suffered any loss.
“It’s a wake-up call for users to be aware of phishing attempts or suspicious emails from taxi providers,” Mr Fowler said.
“Another potential risk would be criminals having access to the contact information and private phone numbers of public officials or those working in the media.”
ICabbi is a software platform for taxi companies that provides dispatch, contact and payment systems.
The Howth-founded firm sold a majority stake to Renault in 2018.
By 2022, it claimed to be the biggest dispatch technology provider in the world, supplying about 100,000 taxis every day in Ireland, the UK, the US, Canada, New Zealand, Australia and Finland.
In an expanded account of uncovering the breached data on VPNMentor’s website, Mr Fowler described iCabbi’s response and reaction to his disclosure as one of “transparency”, adding: “iCabbi acted fast and professionally to secure the data upon receiving my responsible disclosure notice.”
However, he said potential risks of exposed user data include the possibility of criminal exploitation.
“When criminals know the specific services that customers use as well as their contact details, they have sufficient information to engage in targeted phishing campaigns,” he said.
“In this case, for example, I was able to search for specific domain names such as ‘.gov.uk’ and identify individuals who work at local, regional and national government agencies.
“These individuals could potentially be higher-value targets compared to the average passenger, depending on the motives behind the hypothetical attack.
“Hypothetically, the most common tactic would be criminals sending mass emails to users under the false pretences that the email is an official communication from a legitimate taxi service using iCabbi’s technology.
“Cybercriminals could potentially target these individuals to get them to reveal additional personal information, financial or credit card details, passwords, and more.”
A spokesperson for the Irish Data Protection Commission told the Irish Independent that it was “aware of the issue and is engaging with iCabbi on the matter”.