The Dubai Taxi Company (DTC), a subsidiary of Dubai’s Roads and Transport Authority, has suffered a significant data breach, potentially exposing the personal information of over 220,000 users of its popular taxi app.
The breach allegedly exploited the vulnerabilities within the DTC app, resulting in the database containing sensitive customer and driver data accessible to the public. The DTC app is a critical component of the city’s transportation infrastructure. It has over 197,000 app users and nearly 23,000 drivers affected, which shows the extent of the breach and the potential risks associated with the compromise.
The incident started with the exposed data in an open and exposed MongoDB database, a platform commonly employed for managing vast amounts of document-oriented information. Fortunately, the admins secured the exposed database, but the breach raises questions about the app’s cybersecurity measures and information security.
The Dubai Taxi Company has yet to address inquiries about the breach.
The leaked information from the Dubai Taxi Company app includes the production database used for classified development purposes. On the other hand, the confirmed exposed details include customer data, logs, drivers’ personally identifiable information (PII), registration and bank details, and passenger order details from 2018 to 2021.
In addition, the breach compromised the data of the nearly 200,000 affected customers. Information such as email addresses, phone numbers, phone models, and app tokens for email, login, session, and signup were included in the breach. Such tokens are digital keys that, if exploited, could lead to unauthorised access to user accounts.
Furthermore, the impact on the 22,952 drivers is even more severe since the leaked data contains driving license numbers, work permit numbers, nationality, usernames, encrypted passwords, phone numbers, and one terabyte of data from the online driver app logs.
These logs stored intricate details, such as location specifics, IPs, VPN usage, and device battery status that would provide a comprehensive view of the drivers’ activities. In addition to the troves of exposed data, the database contained over 17,000 customer support conversations and complaints records.
This breach shows the urgent need for increased cybersecurity measures within the transportation industry since digital platforms have become integral to daily routines. As of now, DTC has yet to publish details about this incident.
Affected parties should be more cautious about unsolicited communications while waiting for DTC’s announcement, as threat actors could have acquired the exposed data to enable them to execute other cybercriminal campaigns.
