Hubbis, a company handling personally identifiable user data (including names, job titles, company details, contact information, CVs, and usage behavior), faces a critical vulnerability in its data transfer and third-party sharing practices. The Privacy Policy explicitly states that user data is transferred internationally and shared with third-party processors (e.g., fulfillment houses, business partners, and advertisers) without robust safeguards against unauthorized access, breaches, or misuse. The policy also acknowledges cooperation with law enforcement via court orders, which—while legally compliant—could expose sensitive data if systems are compromised. The lack of explicit encryption standards, breach notification protocols, or incident response details in the policy suggests systemic weaknesses. Given the aggregation of professional and personal data (e.g., CVs, email addresses, corporate roles), a breach could enable targeted phishing, identity theft, or corporate espionage. The policy’s reliance on user consent for third-party data transfers further amplifies risks, as partners may have weaker security postures. A successful attack exploiting these gaps could lead to large-scale exposure of customer and employee records, financial fraud via stolen identities, or reputational collapse due to regulatory non-compliance (e.g., GDPR violations).
Source: https://www.hubbis.com/news/arta-introduces-shariah-compliant-investment-portfolios
TPRM report: https://www.rankiteo.com/company/hubbis
"id": "hub5102851102825",
"linkid": "hubbis",
"type": "Vulnerability",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'name': 'Hubbis',
'type': 'Company (likely B2B services, events, or '
'media)'}],
'customer_advisories': 'Users can update their data or marketing preferences '
"via admin or the 'Contact Us' section.",
'data_breach': {'personally_identifiable_information': True,
'sensitivity_of_data': 'Moderate to High (includes PII and '
'professional history)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Behavioral data '
'(non-financial)']},
'description': 'Hubbis, a company committed to safeguarding user privacy, '
'outlines its data processing practices in its Privacy Policy. '
'The policy details the collection of personally identifiable '
'information (PII) such as names, job titles, company details, '
'contact information, and CV data (including educational '
'history and work experience). The data is used for '
'personalized services, order processing, market research, and '
'interactive features. Hubbis discloses that it may share user '
'data with business partners, third-party suppliers, or as '
'required by law enforcement or court orders. The policy also '
'mentions the use of aggregate data for marketing, strategic '
'development, and auditing, as well as tracking user movements '
'on its websites (excluding financial information like '
'credit/debit card details). Security measures are in place to '
'protect against unauthorized access, alteration, or loss of '
'data, though data may be transferred internationally or to '
'third-party processors like fulfillment houses. Users can '
'update their data or marketing preferences via the company’s '
'admin or website.',
'impact': {'data_compromised': ['Name',
'Job title',
'Company name',
'Company address',
'Phone number',
'Fax number',
'Mobile telephone number',
'E-mail address',
'Educational history',
'Work experience',
'Other CV information (if provided)',
'User movements (page scrolling, mouse '
'clicks, text entered)'],
'identity_theft_risk': 'Potential (due to PII collection and '
'international data transfers)',
'payment_information_risk': 'Low (financial details like '
'credit/debit card information are '
'explicitly excluded from tracking)'},
'recommendations': ['Clarify data retention periods and deletion policies in '
'the Privacy Policy.',
'Explicitly state whether user data is encrypted during '
'storage/transit.',
'Detail specific security measures (e.g., access '
"controls, audits) beyond generic 'appropriate measures'.",
'Provide transparency on third-party data processor '
'locations and their compliance standards (e.g., GDPR).',
'Offer users clearer opt-out mechanisms for data sharing '
'with business partners.'],
'references': [{'source': 'Hubbis Privacy Policy'}],
'response': {'communication_strategy': 'Users can contact admin or visit the '
"'Contact Us' section to update data "
'or marketing preferences.',
'enhanced_monitoring': 'User movements (e.g., page scrolling, '
'clicks) are tracked for usability and '
'support improvements.',
'law_enforcement_notified': 'Cooperation with law enforcement is '
'reserved as a right (e.g., for '
'court orders or legal requests).',
'third_party_assistance': 'Data processors (e.g., fulfillment '
"houses) act on Hubbis' instructions "
'for service provision.'}}