Security firm outs Cabcharge data breach

Taxi payments company Cabcharge is reissuing nearly 3500 payment cards after security researchers uncovered an unsecured database of the firm's transaction details online.

Cabcharge chief Andrew Skelton has admitted the company was notified of the breach by researchers from Risk Based Security on May 5.

The RBS team had uncovered an unsecured extract of the Cabcharge Taxi Management System, hosted by Amazon Web Services.

The security firm said the database contained details of where passengers were picked up and dropped off, as well as booking details and the last four digits of passengers' credit card numbers.

It showed up even more revealing details of cab drivers themselves, including full names attached to ABN details, and trip logs.

The research team posted its findings this week out of disappointment with the company’s response to its notification of the security issue.

RBS said the data appeared to be freely available for three weeks before its researchers found it.

“Our lead researcher quickly contacted Cabcharge.com.au to alert them to the issue," RBS wrote earlier this week.

“To date, no reply has been received to our researcher’s alert and no mention of the incident has been made to the persons’ whose personal information was exposed to the world."

However, Cabcharge has denied it was slow to act.

“Our security team investigated the issue and re-secured the data on the same day,” Cabcharge chief Skelton said in a statement.

He said an internal review found that data containing four-digit fragments of customer credit card details was opened, but claimed the company was “confident that this incomplete information cannot be misused”.

Cabcharge is now in the process of notifying the 3443 affected customers and issuing them with new contactless ‘Fastcard’ payment cards with “additional security features”.

“The privacy and security of our customer and driver data remains a key priority,” Skelton said.