Same-day delivery firm CitySprint has warned couriers it has suffered a data breach that may have allowed hackers to access their sensitive personal data.
An email sent on April 7th to thousands of drivers confirming that a security breach had occurred.
CitySprint, which was recently acquired by parcel delivery giant DPD Group, uses self-employed drivers to deliver packages across the UK.
Those drivers share personal information with CitySprint via the company’s iFleet portal – information which includes photos of their driving license, vehicle pictures, and records of their weekly earnings.
The delivery firm says that as soon as it became aware of “the incident”, it shut down the iFleet system and removed access to it.
CitySprint currently says it has no evidence about personal data having been accessed, but an absence of evidence doesn’t mean it hasn’t happened. For now, its investigations continue, and the company has “deployed forensic cybersecurity experts to thoroughly and comprehensively investigate the incident and assess what data, if any, has been compromised.”
Our security checks, which are not quite complete yet have shown that so far, no personal data was compromised. The remaining checks will confirm if any of your data may have been affected. Therefore, as a precautionary measure, we have informed the Information Commissioner’s Office of the incident.
CitySprint says it takes the protection of personal data “very seriously,” and is reviewing IT working practices across the organisation.
Some drivers are clearly unhappy with the firm’s handling of their personal information. For instance, this worker who vented on Twitter:
In its email, CitySprint offers a series of tips to drivers on what action they should take if their personal data is compromised online.
These include changing their passwords to something strong and unique, enabling two-factor authentication on accounts which offer the additional level of security, and to consider signing up for identity theft protection service.
At the time of writing I can find no public acknowledgement of the incident on CitySprint’s website, meaning that anyone who is considering signing up as a delivery driver for the firm may be unaware that a security breach has recently occurred.
Update 13 April 2022:
CitySprint has offered the following statement:
“We recently detected an apparent malicious attempt by a third party to access confidential data from our courier management platform. As soon as this issue was discovered, we took immediate steps to close off external access to this, and launched a full and thorough investigation, led by independent cybersecurity experts. Now that this investigation has concluded, we are pleased to confirm that we believe that no personal data has been compromised. This incident has been reported to the proper authorities and we are in contact with couriers who contract with us about this as a matter of precaution.”
When asked, CitySprint declined to answer further questions regarding the nature of the breach and the company’s response, including whether iFleet has been reopened, and whether two-factor authentication (which it suggests as a sensible precaution for drivers) is even available for iFleet users.
My understanding is that some drivers affected by the security breach may not yet have received notification from CitySprint that the investigation has now concluded. Hopefully they will receive some reassurance from CitySprint soon that their data has not been stolen by cybercriminals.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
