-
A hacker, with the pseudonym Perro, claims to be selling datasets purported to be exfiltrated from the cab-hailing firm Cabify.
-
The stolen database is reported to comprise details on over 430,000 Cabify drivers in Spain.
-
With such data, threat actors can impersonate drivers via identity theft and run scam operations.
A cybersecurity hacker with the alias Perro has claimed credit for a data breach against Cabify’s systems. Reportedly, the threat actor offered to sell a database containing the personal data of over 430,000 Cabify drivers in Spain. This “claim now, verify later” pattern is a common tactic in the cybercrime world. Not too long ago, hackers claimed an HSBC USA breach on the dark web, which the bank firmly denied. While such claims are yet to be confirmed, the threat has demonstrated what could be a significant incident of cybercrime in the transportation sector.
Threat Actor Takes Credit for Cabify Driver Database Leaked
On November 15, the threat actor disclosed his purported attack on Cabify’s digital systems, claiming to be selling the dataset of the firm’s drivers in Spain. Cyber intelligence group Hackmanac announced this on their X page, noting that the purportedly exposed data comprised personally identifiable information and various sensitive details.
According to Hackmanac, the exposed data was said to comprise:
- Drivers’ full names
- User names
- Phone numbers
- Email addresses
- National ID card numbers
- Complete residential addresses
- Linked Facebook accounts
- Driver’s license details with precise dates of issuance and expiration
Notably, the transportation sector remains a prominent target for threat actors due to the huge amounts of operational and personal data it controls. Also, Spain’s foremost Unicorn firm, which launched in 2011, is operating in Latin America (LATAM).
The Perro Dataset Sale and Its Implications
The recent cyber incident with Perro underscores how cybercriminals particularly go for huge repositories of customer data for personal financial gain. Investigators are currently examining the claims, but the possible scale of the attack serves as a crucial reminder of the importance of strong data-protection measures.
Companies that manage huge databases of customers and driver credentials must continuously strengthen their security against unlicensed access and data theft. Experts suggest that such firms should bolster their digital security to mitigate the risks of such unauthorized access.
Uber, X, TikTok Data Leak
In similar developments, last June, the ID verification platform used by TikTok, X, and Uber exposed sensitive customer data. Due to this incident, the Dutch Data Protection Authority (DPA) fined Uber with €290 million for failing to comply with the European Union’s GDPR.
However, despite Uber’s motions to object to the fine, the federal agency did not budge from its verdict. As per the Dutch DPA, the cab-hailing giant collected and saved numerous sensitive information from its drivers in Europe. These details comprised personal credentials like location data, payment details, criminal records, photos, and even account details.
For more than two years, these details were sent to Uber’s headquarters in the United States without the firm implementing adequate security measures. According to the federal agency, from August 2021 onwards, Uber stopped using Standard Contractual Clauses, a notable tool to enforce data protection. Therefore, this resulted in “insufficient protection” of Uber’s driver details.
This most recent penalty is Uber’s third fine from the Dutch Data Protection Authority. Uber’s prior penalties also include a fine of €600,000 from the Dutch DPA in 2018, and a much larger fine of €10 million in 2023. Both of these penalties were for suspected failure of confidentiality of data handling, and Uber disputed the entirety of both fines.
