Personal information of 287,000 taxi passengers exposed in data breach
The data breach was attributed to “human error” by the Dublin-founded text software firm iCabbi
A data breach within the Irish taxi software firm iCabbi that potentially affected almost 300,000 taxi passengers in Ireland and the UK has been described by the company as “human error”.
The lapse exposed names, emails, phone numbers of almost 300,000 customers based in Ireland and the UK, including those of senior BBC directors, journalists and executives, British government officials and an ambassador to an EU country.
The security researcher who discovered the data breach, VPNMentor’s Jeremiah Fowler, said that an exposed database with almost 23,000 records and documents containing the personal information was not password-protected.
When contacted by Mr Fowler about the breach, an iCabbi executive attributed the lapse to “human error” when migrating a customer database and said that the company would contact customers to make them aware of the breach.
In a statement to the Irish Independent, a spokesperson for iCabbi acknowledged the breach and said that the company “took appropriate action and contacted the affected taxi companies”. She did not say whether any of the affected individuals or companies suffered any loss.
“It is a wakeup call for users to be aware of phishing attempts or suspicious emails from taxi providers,” said Mr Fowler.
“Another potential risk would be criminals having access to the contact information and private phone numbers of public officials or those working in the media.”
ICabbi is a software platform for taxi companies that provides dispatch, contact and payment systems.
The Howth-founded firm sold a majority stake to Renault in 2018.
By 2022, it was claiming to be the largest dispatch technology provider in the world, supplying approximately 100,000 taxis every day in Ireland, the UK, the US, Canada, New Zealand, Australia and Finland.
In an expanded account of uncovering the breached data on VPNMentor’s website, Jeremiah Fowler described iCabbi’s response and reaction to his disclosure as one of “transparency”, adding that “iCabbi acted fast and professionally to secure the data upon receiving my responsible disclosure notice”.
However, he said that potential risks of exposed user data include the possibility of criminal exploitation.
“When criminals know the specific services that customers use as well as their contact details, they have sufficient information to engage in targeted phishing campaigns,” he said.
“In this case, for example, I was able to search for specific domain names such as ‘.gov.uk’ and identify individuals who work at local, regional and national government agencies. These individuals could potentially be higher-value targets compared to the average passenger, depending on the motives behind the hypothetical attack.
“Hypothetically, the most common tactic would be criminals sending mass emails to users under the false pretenses that the email is an official communication from a legitimate taxi service using iCabbi’s technology. Cybercriminals could potentially target these individuals to get them to reveal additional personal information, financial or credit card details, passwords, and more.”
A spokesperson for the Irish Data Protection Commission told the Irish Independent that it was “aware of the issue and is engaging with iCabbi on the matter”.
Join the Irish Independent WhatsApp channel
Stay up to date with all the latest news
