Alex Holden, chief information security officer of Milwaukee-based Hold Security, says he discovered the breach at Corporatecaronline more than a month ago. He said he informed the owner of the Kirkwood, Mo.-based software company that customers' credit card numbers, pickup and drop-off information, and other personal details had been stolen.
"The privacy implications of this are very disturbing," Holden said Monday.
Car services buy software from Corporatecaronline and use it to streamline reservations, dispatching and payments. Owner Dan Leonard did not return a call to his company for comment Monday from The Associated Press.
Cybersecurity blogger Brian Krebs, working with Hold Security, first reported the hack on his website krebsonsecurity.com, including details dispatchers gave to drivers heading out to pick up celebrity passengers. For example, Krebs reported a chauffeur driving Tom Hanks to a Chicago restaurant for dinner was advised the client was a "VVIP" who required "No cell/radio use" by the driver.
A chauffeur meeting Latin American textile magnate Josue Christiano Gomes da Silva inside an airport luggage claim area with a printed sign was warned: "SUPER VIP CLIENT. EVERYTHING MUST BE PERFECT!"
Other customers include Donald Trump, who required a new car with a clear front seat; LeBron James, who was picked up at an entrance for athletes at a Las Vegas sports arena; and Colorado Sen. Mark Udall, who was travelling to Boston with golf clubs.
The stolen files also include records about what took place in the vehicles, including sex, vomiting and smoking marijuana, Krebs reports.
Rep. John Conyers, D-Mich., whose data was among those breached, declined to comment Monday. But his spokesman Andrew Schreiber said he was appreciative that the matter was brought it to his attention.
Other members of Congress also said they were uninformed.
"This is the first we have heard about this. We were never notified, but we are looking into the claim," said Leslie Shedd, spokeswoman for Rep. Lynn Westmoreland, R-Ga.
Holden said he found the information from Corporatecaronline customers stored on the same computer server where he earlier found stolen usernames and passwords from PR Newswire, Adobe Systems and about 100 other firms. He said most firms took immediate action when informed; Adobe and PR Newswire went public when they learned of the breaches, warning millions of customers affected.
Holden declined to name dozens of other companies whose customers' data also appeared to have been hacked.
"If we start mentioning the names, there might be widespread panic," he said, noting that those companies are trying to deal with the breaches. But Holden said he was concerned that Corporatecaronline was failing to act, and that he contacted credit card companies himself.
Corporatecaronline's website boasts of robust data protection. "The only point of access to the servers is through our firewall, which is managed by our data centre, 24/7, 365 days a year," it says.
But Jonathan Mayer, a cybersecurity fellow at the Center for International Security and Cooperation at Stanford University, did some poking Monday and found the website runs on outdated software prone to vulnerabilities. He said it has code dating back to Macromedia, which was acquired by Adobe nearly eight years ago; Internet Explorer 4, which rolled out in 1997; and 13-year-old Netscape 6.
"The point here is that you don't have to be a big target to be at risk online anymore," Mayer said. "This is the new normal, and it underscores the need for improving the regulatory framework."
The FBI did not immediately return a call seeking comment.
Cybersecurity firm McAfee's chief technology officer Raj Samani said Monday the hack underscores how vulnerable customers can be, even if they're trying to use complex passwords and take precautions with their privacy.
"You can do anything you want, but in many cases you entrust your data with multiple third parties, and it's out of your hands," he said.
Associated Press writers Alan Fram in Washington and Raphael Satter in London contributed to this report.