RiskBased Security reports that although it notified CabCharge of a misconfigured database leaking customer information and CabCharge seems to have taken steps to secure the data, CabCharge has neither acknowledged the notification nor notified customers:
…. Our lead researcher quickly contacted CabCharge.com.au to alert them to the issue. After a few hours of checking on the status of the open database, it appeared some action had been taken to secure it, but no reply has been received from their administrators. Furthermore, as of this posting, there is no sign CabCharge.com.au has alerted impacted individuals, which is troubling given the nature of the information exposed in this particular database. That said, it is reasonable to assume that it will take some time to evaluate the full impact of a breach, determine who was affected, argue with company lawyers, and draft a notification letter.
The CabCharge.com.au open database contains sensitive information of both customers and drivers, including customer credit card details along with only the last 4 digits of the credit card number. The database also contains Driver’s full name, ABN ( Australian Business Number), Taxi ID, terminal IDs as well as trip logs, bookings information, and other critical usage details exposing individual trip movements.
The stored transactions are from the Cabcharge Taxi Management System (CTMS), and include copies of partial credit card numbers, drop off location, pick up location, as well as client and driver identifier information including names. There are also copies of e-TAG serials and codes used on the motorway for electronic payments, which provides yet even more detail for tracking trip activity.
Read more on RiskBased Security.