Cyber Incident Victim: CitySprint
Date:
Apr 2022
Location:
United Kingdom
Summary
A UK-based same-day delivery firm experienced a security breach potentially compromising couriers' sensitive personal data, including driving license photos, vehicle images, and earnings records stored in its iFleet portal. The company immediately disabled the affected system upon detection and engaged forensic cybersecurity experts to investigate, later concluding no evidence of data compromise despite initial uncertainties. Authorities were notified, and contracted couriers received precautionary communications, though some drivers criticized the handling of their information and public disclosure remained absent from corporate channels during initial reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
CitySprint, a UK-based same-day delivery firm recently acquired by DPD Group, confirmed a security breach on April 7, 2022, notifying thousands of self-employed delivery drivers through email that their personal data may have been accessed by hackers. The breach occurred via the company’s iFleet portal, a system used by drivers to submit sensitive documentation including driving license photographs, vehicle images, and weekly earnings records. Upon detecting the incident, CitySprint immediately shut down external access to the iFleet platform and initiated an investigation led by independent forensic cybersecurity experts. The company stated it had no initial evidence confirming unauthorized access to personal data but acknowledged the possibility due to the breach’s nature. As a precaution, CitySprint reported the incident to the UK Information Commissioner’s Office and advised affected drivers to change passwords, enable two-factor authentication where available, and consider identity theft protection services.
By April 13, 2022, CitySprint issued an update concluding its investigation with a belief that no personal data had been compromised, though it declined to disclose specifics about the breach’s mechanics or whether iFleet functionality had been restored. The company maintained contact with drivers throughout the process but faced criticism for delayed notifications and lack of transparency, as some couriers reported not receiving timely updates about the investigation’s conclusion. No public statement appeared on CitySprint’s website regarding the breach at the time of the article’s publication, raising concerns about awareness for prospective drivers. The incident prompted an internal review of IT working practices across the organization, emphasizing CitySprint’s stated commitment to data protection. Drivers expressed dissatisfaction with the handling of their information, including via public social media channels, while CitySprint’s refusal to clarify whether two-factor authentication was implemented for iFleet access remained unresolved.