More than 140,000 users of the Pod Point electric car charging app could have had their data put at risk by a security vulnerability.
We believe the issue affects only customers with home chargers. However, it could also in theory apply to users of Pod Point’s public charging points.
Data exposed by the flaw included the full names, home addresses and car-charging history of Pod Point customers. Cybercriminals could use this information to locate owners of expensive electric cars, and know when that car was typically in location being charged.
Pod Point, the UK’s largest domestic car charging provider and now owned by EDF Energy, fixed the issue after we contacted them. It says that the risk to customers has been removed.
The company said it has contacted the Information Commissioner’s Office (ICO) about the issue, but has “not identified any evidence of personal data being compromised”.
Electric car reviews – use our extensive, in-depth reviews to find your perfect electric car
Security flaw leaves customer data exposed
In March 2021, security research consultancy, 6point6, did some research on mobile apps used for electric vehicle charging, including Pod Point’s.
6Point6 found that it was possible to access a customer’s full name, full address, partial email address, charge history and longitude and latitude of their charger via a flaw in the Pod Point app.
In addition, it was possible to easily search for sensitive customer data. So, if you knew that an email had been used to register a Pod Point account, you could then see where that person lived and view their charge history.
To exploit this, all an attacker would need is a registered Pod Point account, which could be set up by anyone.
Thousands of Pod Point customers put at risk
Based on our analysis, the security flaw could have put at risk more than 140,000 customer records.
6Point6 contacted Pod Point on 15 March 2021, but despite repeated attempts to various Pod Point public points of contact, it got no response.
After verifying that the vulnerabilities were still present in late September 2021, 6point6 contacted Which? to assist with the disclosure to Pod Point.
Pod Point responds to Which? about the vulnerabilities
After being contacted by Which?, Pod Point acknowledged 6point6’s findings and took action to address the highest risk components of the vulnerability. We have independently verified that the bulk of the risk to consumers has now been removed.
We have suggested other possible security measures to consider going forwards, and Pod Point has said that it has engaged a cyber security firm to ‘carry out extensive penetration and mobile testing to identify and resolve any security issues’.
The firm said that cyber security is of “utmost importance” to the company and it has contacted the Information Commissioner’s Office (ICO) about the vulnerability.
“All issues identified by 6point6 have been resolved. We have also discussed with the ICO and implemented their guidance, including carrying out an assessment of the vulnerability in accordance with GDPR requirements,” the company said.
“At this stage we have not identified any evidence of personal data being compromised, but as with all matters we will continue to work with the ICO on an open and transparent basis.”
What should I do if I am a Pod Point customer?
First of all, don’t panic. We have conducted a search of open and dark web markets and not found anyone marketing stolen Pod Point data for sale.
However, we can’t know for sure if the vulnerability was ever exploited by a hacker, particularly as it was open for at least six months, possibly longer.
When asked about this, Pod Point told us: “We would like to further reassure all our App users that we have no reason to believe that personal data held on the App has been compromised or accessed by any third party outside of the testing conducted by 6point6.
“We continue to work with a range of experts to ensure the security of our proprietary software, hardware and firmware.”
If you are a Pod Point app user, we advise you to be wary of any potential phishing messages that include data on your address, the fact you have an electric car or your charging history.
If you see anything concerning, you can report it to Action Fraud by calling 0300 123 2040 or at the Action Fraud website. If you live in Scotland you can report a scam directly to the police by calling 101.
Please also contact us via our Scam Watch tool about the issue to share your story with others.
source https://www.which.co.uk/news/2021/11/pod-point-electric-car-chargers-security-flaw-may-have-put-140000-app-users-data-at-risk/