Earlier this year in March, a London-based independent security research consultancy called 6point6 (founded in 2012) researched on different mobile apps that were being used for charging electric vehicles (EVs).

In one of the apps investigated, 6Point6 found a flaw which made it possible for them to access a customer’s full name, full address, partial email address, charge history and longitude and latitude coordinates of their charger. Further, 6point6 also managed to easily search for sensitive customer data, just by knowing an e-mail used for registration in the apps’ account. The name of the app where 6Point6 found the flaw equals the name of the company providing it: Pod Point, UK’s largest domestic car charging provider of charging units for home, business, and public use. Established in 2009 in London and now owned by EDF Energy.

The flaw, found by 6Point6, means that all an attacker would need to do to access the customer data is a registered Pod Point account, which could be set up by anyone. According to 6Point6 more than 140 000 customer records were put at risk. 6Point6 contacted Pod Point on 15 March 2021, but with no response, and after several attempts to various Pod Point public points of contact 6Point6 contacted “Which?” to assist with the disclosure to Pod Point. “Which?” is a U.K “Consumer Advisory Service” established in the 1950s’.

Pod Point has now taken action to the vulnerability and acknowledged 6point6’s findings. According to Pod Point all issues identified by 6point6 have been resolved, and a cybersecurity firm has been engaged to perform extensive penetration tests to identify and resolve any security issues, as cybersecurity is of “utmost importance” to the company, Pod Point says. So far, Pod Point has not found any stolen Pod Point data marketed by anyone on any open, or dark web, markets.

Written by Joakim Rosell