Cabcharge Breach Could Hail FraudstersAustralian Taxi Booking Company Left Payment Card Data Exposed
A data breach at Cabcharge, a large Australian taxi booking and payments service, exposed details on customer movements, drivers and partial credit card numbers, and one security expert is warning that the data could be useful to fraudsters.
The breach was discovered by Risk Based Security of Richmond, Va., which specializes in analyzing software vulnerabilities and data breaches. It reports that Cabcharge was running an internet-connected database that required no login credentials.
Risk Based Security says it discovered the database using Shodan.io, a specialized search engine used for hunting for anything that connects to the Internet, including devices that belong to the so-called Internet of Things - smart TVs, refrigerators and critical infrastructure systems run by utilities.
The database reportedly contained transaction information from the Cabcharge Taxi Management System, which is a Windows application used for managing taxi expenditures, including FastCard accounts. FastCards are custom payment cards similar to a credit card, but they can only be used to pay for transport services.
"Our lead researcher quickly contacted Cabcharge.com.au to alert them to the issue," Risk Based Security writes. "After a few hours of checking on the status of the open database, it appeared some action had been taken to secure it, but no reply has been received from their administrators."
A Cabcharge spokeswoman had no immediate comment. The breach, which amounted to 3.6 GB of data, affected more than 3,443 FastCard holders, according to The Sydney Morning Herald.
Cabcharge CEO Andrew Skelton told the publication that an investigation found that most of the exposed FastCard data was old and contained expired card numbers. The accounts had not been misused, he said, and the company was in the process of issuing replacement cards.
Exposed data included pickup and drop-off points, invoices, statements, logs, full names of cab drivers, ABNs (Australian business numbers), taxi IDs, payment terminal IDs, and serial numbers and payment data for eTags, which are used for electronically paying road tolls. It also included the last four digits of payment cards.
Shodan Keeps Finding Insecure Devices
Cabcharge's breach shows that companies often don't know what sensitive data is out in the open for anyone to find, especially with powerful tools such as Shodan.
Troy Hunt, a security expert who runs the free "Have I Been Pwned?" alert service for data breach victims, says there are often errors made when configuring databases such as MongoDB, which then turn up in Shodan searches (see 191 Million U.S. Voter Registration Records Exposed?). "One tiny mistake and this data is public," he says.
Although only the last four digits of credit card numbers were exposed, Hunt said that is more problematic than people might think.
But the Payment Card Industry's Data Security Standard, which establishes industry-created guidelines for securing cardholder data, does not require that the last four digits of a card be encrypted, Hunt says. As a result, many organizations - including major banks, online retailers and others - routinely show those four digits and also use them for verification purposes.
Obtaining the last four digits of a card, however, would be valuable for criminals to add to a dossier on a victim. The information could then be used in sophisticated social engineering ploys to get access to other accounts, Hunt says, for example against high-net-worth individuals.
Australia: No Data Breach Notification Requirement
Cabcharge's breach comes as Australia has - for several years - attempted to develop a mandatory data breach notification law, so far without success. Organizations currently have no obligation to report a data breach under the country's Privacy Act or to the Office of the Australian Information Commissioner (OAIC).
The Herald reported that Cabcharge did not plan to notify regulators, but was reaching out to affected customers.
The OAIC says that organizations must notify breach victims when they face a real risk of serious harm. That fuzzy recommendation is supposed to take into account reputational or financial damage.
Australian officials intended to have a data breach notification requirement in place by the end of 2015, but progress was slow. In early December, the government did open a consultation on a draft of a bill. That consultation ended in March, but no related action is expected now until after Australia holds its federal election on July 2.