Cabcharge data exposure highlights need for mandatory breach notifications
Cabcharge has a problem. It's not just this week's discovery of a significant data breach, although it relates to that. But let's start with the data breach.
Risk Based Security (RBS) is an information security intelligence, analysis, and vulnerability assessment firm headquartered in Richmond, Virginia. On Monday, RBS blogged about their discovery, two weeks earlier, of an open database at Cabcharge, an Australian company that operates what is effectively a monopoly for processing non-cash payments for taxis, plus other transport and transport-related services.
"The CabCharge.com.au open database contains sensitive information of both customers and drivers, including customer credit card details along with only the last 4 digits of the credit card number. The database also contains Driver's full name, ABN (Australian Business Number), Taxi ID, terminal IDs as well as trip logs, bookings information, and other critical usage details exposing individual trip movements," RBS wrote.
Latest Australian news
"The stored transactions are from the Cabcharge Taxi Management System (CTMS), and include copies of partial credit card numbers, drop off location, pick up location, as well as client and driver identifier information including names. There are also copies of e-TAG serials and codes used on the motorway for electronic payments, which provides yet even more detail for tracking trip activity."
This is serious stuff. Yet Cabcharge's only on-record comment, a statement by chief executive officer Andrew Skelton, downplays the risk.
"On 5 May, we were made aware of a breach of information on Amazon Web Services (AWS). Our security team investigated the issue and re-secured the data on the same day," the statement began.
"Most of the information was old and contained inactive Cabcharge Fastcard numbers and expiry dates."
Notice that Cabcharge is already trying to spin this as nothing to worry about, and not even their fault. The data was old and inactive. The data was at AWS, not Cabcharge.
But saying that the database "contained inactive Cabcharge Fastcard numbers" doesn't rule out the possibility that it contained other things as well. And indeed, the very next paragraph of the statement admits to that. Or some of it.
"However, up to 3,443 active Cabcharge Fastcard accounts were affected. Our investigation shows there has been no misuse of these accounts.
"As a precaution, we are cancelling affected Fastcards and reissuing new cards with additional security features," Skelton said, without specifying what those features might be, or whether Fastcard-holders unaffected by this breach might also benefit from these new features.
The statement goes on to say that while the last four digits of a "limited number" of customer credit cards were opened, this won't be a problem -- which is doubtless true -- before ending with the ritual statement.
"The privacy and security of our customer and driver data remains a key priority. We are in the process of contacting affected Fastcard customers."
Now all that covers the financial information in the open database. What of the trip logs and suchlike?
I put that question directly to Cabcharge's PR firm, which had taken over communication: "Are you able to confirm or deny the exposure of trip data, or provide more specific detail about what was exposed?"
The reply? "This is the statement that we're providing."
How reassuring.
Yet again, we have an organisation that seems to think that financial information is what needs to be protected. Yet credit card number and Fastcard numbers can be reissued easily.
What can't be changed as easily are people's movements, and revealing even old trip details can be a problem.
Consider the staff of a family planning clinic. A regular taxi ride could reveal their home addresses, making them vulnerable to violent anti-abortion activists. As the case of Peter James Knight shows, such people can be prepared to kill in the pursuit of their political aims.
Or consider David Campbell, former minister for transport in New South Wales. A married man, Campbell was forced to resign after he was found using his ministerial car to visit a gay sex club. Sure, he didn't use a taxi for those visits, but his career would have been just as dead if he had.
Two years ago, in the case of dating site operator Cupid Media -- not to be confused with OkCupid -- Australia's privacy commissioner Tim Pilgrim made it very clear that "data other than credit and other financial information may be 'sensitive information' under the definition of that term in the Privacy Act".
Cabcharge, it would seem, is still living in the past.
So is food delivery operator Menulog.
Last month, in response to a direct question about the integrity of their customer database, they provided a hand-wavey answer about "upgrading that part of the system".
"Rest assured it will still register any orders you place or loyalty accrued in this period," Menulog wrote, as if this were the biggest concern from any potential data breach.
This lack of awareness is appalling, especially given that only the month before, in March 2016, Menulog had exposed more than a million customers' details without notifying them. They just sent a generic email reminding customers to use strong passwords.
Both Cabcharge and Menulog are significant Australian companies who claim to be committing to protecting customer privacy. But both clam up when the fertiliser hits the air conditioner.
Could you find two better examples to show why Australia needs mandatory data breach notification laws?
What makes Cabcharge and Menulog's behaviour even more stupid is that, as ZDNet wrote last week, being honest about data breaches increases customer trust.
Disclosure: Stilgherrian is a Menulog customer.