Cabcharge data exposed

May 17, 2016 |

Cabcharge has had a data breach.  This was identified by Riskbased Security, a cyber security company based in Virginia, USA, while doing some research.  The researchers notified Cabcharge who took action to remedy the problem but did not reply to the notification and did not notify its customers of the exposure of data.  That data identified by Riskbased security included the client’s payment card details, their movements (pick up and drop off points) and eTag payment data and logs as well as data relating to drivers including their full name, their ABNs, their taxi IDs and booking information.  All sensitive.

The episode is indicative of the poor practice of many organisations and preference for trying to deal with matters in house, hoping the problem will blow over, than managing the problem and advising those whose data has been compromised so they may take steps.  It also highlights the need to have mandatory data breach notification laws which are clear and unequivocal in their obligations and require, as a starting point, a presumption of notification.

It is hardly an episode that Cabcharge can be proud of.  It will be interesting to see whether the Privacy Commissioner has been notified and, if not, what he will do about it. Clearly Cabcharge is covered by the Privacy Act 1988.

The article provides:

It’s no secret that data breaches come in many different forms, ranging from savvy attackers meticulously exploiting system weaknesses to tried and true phishing scams to skimming devices planted on credit card readers. But sometimes, we can be our own worst enemy when it comes to securing our most valuable data.

Case in point, while conducting research on, one one of our researchers discovered an open database from a webservice belonging to, who was acquired by Udemy in early 2016. Despite our initial concerns that the issue would go unaddressed since was no longer in business, administrators from responded quickly and secured the database within hours of us reaching out with news of the discovery. The administrators went on to confirm the fix with a “Thank You” reply back to the research team.

At the same time the breach was discovered, our researchers uncovered another open database belonging to that was very concerning. The same notification protocol was followed as done with the breach. Our lead researcher quickly contacted to alert them to the issue. After a few hours of checking on the status of the open database, it appeared some action had been taken to secure it, but no reply has been received from their administrators. Furthermore, as of this posting, there is no sign has alerted impacted individuals, which is troubling given the nature of the information exposed in this particular database. That said, it is reasonable to assume that it will take some time to evaluate the full impact of a breach, determine who was affected, argue with company lawyers, and draft a notification letter.

The open database contains sensitive information of both customers and drivers, including customer credit card details along with only the last 4 digits of the credit card number. The database also contains Driver’s full name, ABN ( Australian Business Number), Taxi ID, terminal IDs as well as trip logs, bookings information, and other critical usage details exposing individual trip movements.

The stored transactions are from the Cabcharge Taxi Management System (CTMS), and include copies of partial credit card numbers, drop off location, pick up location, as well as client and driver identifier information including names. There are also copies of e-TAG serials and codes used on the motorway for electronic payments, which provides yet even more detail for tracking trip activity.

After preliminary evaluation, this database includes:

  • Clients’ financial information in the form of payment card details;
  • Clients’ movements, including pickup and drop off points and times;
  • eTag electronic payment data, CabCharge invoices, statements, and logs.

Our research indicates this database (containing valuable data as documented) was open for at least 3 weeks prior to its discovery by RBS. To date, no reply has been received to our researcher’s alert and no mention of the incident has been made to the persons’ whose personal information was exposed to the world.

CabCharge has been under increasing pressure from companies such as Uber and GoCatch.  In fact, after taxi payment surcharges were slashed, CabCharge’s net profits dropped 21.7%.  Even with this drop, they still made $24.4 million in the last half of 2015, although investors appear to be concerned about the company’s finances.  There has been a big focus for CabCharge to improve their technology and focus on making the customer experience better.

While it is well documented the poor service and long wait times customers have had to endure to get a taxi, it is important that the waiting for notification ends as soon as possible and CabCharge voluntary alerts customers impacted about this breach.

At this point, there is not a Data Breach notification law that requires Australian organization to disclose breaches, but one appears to be in the works.

One Response to “Cabcharge data exposed”

  1. Cabcharge data exposed | Australian Law Blogs

    […] Cabcharge data exposed […]

Leave a Reply

Verified by MonsterInsights