Taiwanese automotive conglomerate Hotai Motor uncovered reams of non-public buyer knowledge from its automotive rental and carshare unit, iRent, till a safety researcher discovered the info on-line final week.
Even then, it took the corporate every week — and the intervention of the Taiwanese authorities — to behave.
Hotai Motor is likely one of the largest monetary holdings corporations in Taiwan, and in addition the Taiwanese distributor for Toyota. iRent is a well-liked auto service app, purchased by Hotai in 2022, which permits prospects to pay hourly to hire vehicles that may be discovered both free-floating or at a depot.
iRent reportedly has over 1.1 million registered vehicles and 580,000 iRent customers.
Safety researcher Anurag Sen found a database containing iRent prospects’ full names, cellphone numbers and e mail addresses, dwelling addresses, images of their drivers’ licenses, and partially redacted fee card particulars, on a Hotai-owned cloud server that was inadvertently accessible from the web.
As a result of the database was not password-protected, anybody on the web may entry the iRent buyer knowledge simply by realizing its IP deal with.
Sen stated the uncovered database additionally contained hundreds of thousands of partial bank card numbers, and at the very least 100,000 buyer identification paperwork, in addition to selfies, signatures, and rental car particulars.
TechCrunch reviewed a portion of the uncovered knowledge and confirmed Sen’s findings. Web information by Shodan, a search engine for uncovered units and databases, present the database was spilling knowledge way back to Could 2022 and contained about 4.2 terabytes of information on the time it was secured.
TechCrunch despatched a number of emails this week to Hotai Motor with particulars of the uncovered database, however we didn’t obtain a reply. All of the whereas, the database was updating with new buyer knowledge in actual time.
On January 28, TechCrunch subsequently contacted Taiwan’s Ministry of Digital Affairs, the federal government division that regulates and oversees the nation’s web and telecoms, for assist in disclosing the safety lapse to the corporate. In an emailed response, Taiwan’s minister for digital affairs Audrey Tang advised TechCrunch that the uncovered database had been flagged with Taiwan’s nationwide laptop emergency response crew, generally known as TWCERT/CC. Inside an hour, the uncovered iRent database grew to become inaccessible.
A short while later, Hotai Motor confirmed it had secured the database. “We had blocked the surface connection to this IP instantly.” Hotai stated that it will inform prospects whose knowledge was uncovered.
It’s not clear if anybody else, aside from Sen, discovered the database in the course of the 9 months it was spilling knowledge.
It’s not the primary time a automotive rental firm has compromised its personal prospects’ knowledge. Again in 2017, Hertz by accident leaked the non-public knowledge of 36,000 prospects. France’s nationwide knowledge safety authority fined Hertz France €40,000 on the time as a result of the info was discovered to be simply accessible on-line.
