Tapsi, Iran's second largest ride-hailing company, has admitted that hackers breached its systems and stole the data of 27 million users, in what is potentially the largest hack to date of any major Iranian tech firm.
Milad Monshipour, CEO of Tapsi, confirmed in a tweet on September 3 that hackers had succeeded in breaching the company's infrastructure and stolen sensitive information. Upon discovering the breach, Tapsi promptly reported the incident to law enforcement authorities and took immediate steps to secure its systems.
“According to emails received from the hacking group responsible for the breach, their motive appeared to be extortion. They demanded a sum of money in exchange for not disclosing the stolen information,” he said.
“However, Tapsi chose not to comply with their demands after negotiations revealed that there were no guarantees against the release of the data or future misuse.”
Monshipour said it was “unlikely” that the information stolen from the second-largest Uber clone would be sold on the open market.
He expressed his regret over the incident and assumed responsibility for it, vowing to conduct a thorough investigation into the root causes, which he would share in due course.
The company is reportedly working with Iran’s cyber police to identify the hackers and prevent the sale of the stolen data.
The hacker group claimed to offer a trove of information for sale, including data on over 27 million passengers, six million drivers, and 136mn trips.
In addition to the stolen data, the hackers claimed to have access to source code from Tapsi's products and information about passengers' and drivers' mobile devices.
The price tag for this extensive dataset was set at $35,000.
The hacker group criticised Tapsi's handling of customer data, asserting that the company had been negligent in safeguarding its clients' information.
Social media users have been quick to criticise the tech company for its apparent disregard for the sensitive data of millions of users across the country at a time.
“Tapsi made it clear that they had no intention of negotiating or paying any money for the data, which means that they do not care about safeguarding your data,” wrote one user on banned messaging app Telegram.
Meanwhile, one user on Twitter who goes by the name “UNIX Team” harshly criticised the handling of the situation, blaming the country’s brain drain as part of the cause of the largescale hack.
“The regulatory bodies should have taken more serious measures earlier,” the UNIX Team wrote.
“Iran’s technology ecosystem vividly suffers from the lack of specialised technicians. I have worked as a technical interviewer in three mobile operator companies for the past seven years, and I confirm that almost all the specialised technicians have left this country,” the user said.
In the ride-hailing industry, Snapp! and Tapsi are the two most prominent players across Iran, with the former having over 62mn registered accounts and being operational in 150 cities and towns across the country. Tapsi is now revealed to have only 27mn users.
Earlier this year, Tapsi won a landmark case against its larger rival, Snapp!, which it had accused of unfair competition, ICTNA reported at the time.
Snapp's main rival said the company had used counterfeit SIM cards to generate fake taxi orders and gain access to the contact details of 14,000 Tapsi drivers, who were subsequently encouraged to join the company.
However, the appellate court has deemed fines unnecessary, as the anti-competitive activities were conducted on a relatively small scale and did not significantly impact Tapsi's business.