Dubai Taxi Company app exposes sensitive customer and driver data in database breach

Dubai Taxi Company, a subsidiary of Dubai’s Roads and Transport Authority, faced a security breach that exposed a substantial amount of sensitive information from its DTC app. The breach, identified by the Cybernews research team, impacted over 197,000 app users and nearly 23,000 drivers.

The leaked data, housed in an open MongoDB database, included confidential details from 2018 to 2021. The exposed database included customer data, drivers’ personally identifiable information (PII), registration and bank details, and passenger order specifics.

The compromised user data included email addresses, phone numbers, phone models, various app tokens, and crucial digital keys associated with user accounts. This exposure potentially posed risks of unauthorized access to user accounts.

The breach extended to DTC drivers, revealing information such as driving license numbers, work permit details, nationalities, usernames, encrypted passwords, and phone numbers. Moreover, the breach exposed over 17,000 support conversations and customer complaints records.

The breached database contained a significant volume of information from the online driver app logs, comprising approximately one terabyte. These logs included location specifics, IP addresses, indications of VPN usage, and even device battery status.

Although the MongoDB database has been closed after its discovery, the extent of this exposure remains a concern. Despite attempts to reach out to DTC for comment before publication, there has been no response as of the time of this report.