Taiwanese automotive conglomerate Hotai Motor uncovered reams of non-public buyer knowledge from its automobile rental and carshare unit, iRent, till a safety researcher discovered the info on-line final week.
Even then, it took the corporate every week — and the intervention of the Taiwanese authorities — to behave.
Hotai Motor is without doubt one of the largest monetary holdings firms in Taiwan, and likewise the Taiwanese distributor for Toyota. iRent is a well-liked auto service app, purchased by Hotai in 2022, which permits clients to pay hourly to hire vehicles that may be discovered both free-floating or at a depot.
iRent reportedly has over 1.1 million registered vehicles and 580,000 iRent customers.
Security researcher Anurag Sen found a database containing iRent clients’ full names, cellphone numbers and e-mail addresses, dwelling addresses, images of their drivers’ licenses, and partially redacted cost card particulars, on a Hotai-owned cloud server that was inadvertently accessible from the web.
Because the database was not password-protected, anybody on the web might entry the iRent buyer knowledge simply by figuring out its IP handle.
Sen stated the uncovered database additionally contained thousands and thousands of partial bank card numbers, and no less than 100,000 buyer identification paperwork, in addition to selfies, signatures, and rental car particulars.
TechCrunch reviewed a portion of the uncovered knowledge and confirmed Sen’s findings. Internet data by Shodan, a search engine for uncovered gadgets and databases, present the database was spilling knowledge way back to May 2022 and contained about 4.2 terabytes of knowledge on the time it was secured.
TechCrunch despatched a number of emails this week to Hotai Motor with particulars of the uncovered database, however we didn’t obtain a reply. All the whereas, the database was updating with new buyer knowledge in actual time.
On January 28, TechCrunch subsequently contacted Taiwan’s Ministry of Digital Affairs, the federal government division that regulates and oversees the nation’s web and telecoms, for assist in disclosing the safety lapse to the corporate. In an emailed response, Taiwan’s minister for digital affairs Audrey Tang advised TechCrunch that the uncovered database had been flagged with Taiwan’s nationwide laptop emergency response staff, referred to as TWCERT/CC. Within an hour, the uncovered iRent database grew to become inaccessible.
A short while later, Hotai Motor confirmed it had secured the database. “We had blocked the outside connection to this IP immediately.” Hotai stated that it might inform clients whose knowledge was uncovered.
It’s not clear if anybody else, aside from Sen, discovered the database in the course of the 9 months it was spilling knowledge.
It’s not the primary time a automobile rental firm has compromised its personal clients’ knowledge. Back in 2017, Hertz by accident leaked the non-public knowledge of 36,000 clients. France’s nationwide knowledge safety authority fined Hertz France €40,000 on the time as a result of the info was discovered to be simply accessible on-line.