Hosting provider sees nothing wrong? REALLY?? moodledata folder IN cgi-bin (a directory usually defined/used for executable scripts - such as .pl's)?
Moodle data folder should be at the *same* level of the folder/file structure of apache defined web root (NOT in document root - like html) but NOT in a subdirectory where apache has already 'special' definitions (cgi-bin).
So in a typical RedHat layout apache, one would see in /var/www/
the following folders:
html (document root - moodle code folder goes in here)
cgi-bin icons error manual usage ... moodle data folder also goes here.
Not accessible directly via browser URL UNLESS there definition in httpd.conf file.
Have installed many, many, many open sourced packages. Moodle is not that special in what is required to run. Seen many that install a 'data' folder of some sort and really don't protect it. By the time one discover that ... hacked! That's unless one reads the readme's which sometimes tells you that kinda thing in a small sentence.
Hang in there! Adjust! ;)
'spirit of sharing', Ken