More than 140,000 users of the Pod Point electric car charging app could have had their data put at risk by a security vulnerability.
We believe the issue affects only customers with home chargers. However, it could also in theory apply to users of Pod Point's public charging points.
Data exposed by the flaw included the full names, home addresses and car-charging history of Pod Point customers. Cybercriminals could use this information to locate owners of expensive electric cars, and know when that car was typically in location being charged.
Pod Point, the UK's largest domestic car charging provider and now owned by EDF Energy, fixed the issue after we contacted them. It says that the risk to customers has been removed.
The company said it has contacted the Information Commissioner's Office (ICO) about the issue, but has “not identified any evidence of personal data being compromised”.
In March 2021, security research consultancy, 6point6, did some research on mobile apps used for electric vehicle charging, including Pod Point's.
6Point6 found that it was possible to access a customer's full name, full address, partial email address, charge history and longitude and latitude of their charger via a flaw in the Pod Point app.
In addition, it was possible to easily search for sensitive customer data. So, if you knew that an email had been used to register a Pod Point account, you could then see where that person lived and view their charge history.
To exploit this, all an attacker would need is a registered Pod Point account, which could be set up by anyone.
Based on our analysis, the security flaw could have put at risk more than 140,000 customer records.
6Point6 contacted Pod Point on 15 March 2021, but despite repeated attempts to various Pod Point public points of contact, it got no response.
After verifying that the vulnerabilities were still present in late September 2021, 6point6 contacted Which? to assist with the disclosure to Pod Point.
After being contacted by Which?, Pod Point acknowledged 6point6's findings and took action to address the highest risk components of the vulnerability. We have independently verified that the bulk of the risk to consumers has now been removed.
We have suggested other possible security measures to consider going forwards, and Pod Point has said that it has engaged a cyber security firm to 'carry out extensive penetration and mobile testing to identify and resolve any security issues'.
The firm said that cyber security is of “utmost importance” to the company and it has contacted the Information Commissioner's Office (ICO) about the vulnerability.
“All issues identified by 6point6 have been resolved. We have also discussed with the ICO and implemented their guidance, including carrying out an assessment of the vulnerability in accordance with GDPR requirements,” the company said.
“At this stage we have not identified any evidence of personal data being compromised, but as with all matters we will continue to work with the ICO on an open and transparent basis.”
First of all, don't panic. We have conducted a search of open and dark web markets and not found anyone marketing stolen Pod Point data for sale.
However, we can't know for sure if the vulnerability was ever exploited by a hacker, particularly as it was open for at least six months, possibly longer.
When asked about this, Pod Point told us: “We would like to further reassure all our App users that we have no reason to believe that personal data held on the App has been compromised or accessed by any third party outside of the testing conducted by 6point6.
“We continue to work with a range of experts to ensure the security of our proprietary software, hardware and firmware.”
If you are a Pod Point app user, we advise you to be wary of any potential phishing messages that include data on your address, the fact you have an electric car or your charging history.