Taiwanese automotive conglomerate Hotai Motor uncovered reams of non-public buyer knowledge from its automobile rental and carshare unit, iRent, till a safety researcher discovered the info on-line final week.
Even then, it took the corporate every week — and the intervention of the Taiwanese authorities — to behave.
Hotai Motor is among the largest monetary holdings corporations in Taiwan, and likewise the Taiwanese distributor for Toyota. iRent is a well-liked auto service app, purchased by Hotai in 2022, which permits prospects to pay hourly to hire automobiles that may be discovered both free-floating or at a depot.
iRent reportedly has over 1.1 million registered automobiles and 580,000 iRent customers.
Safety researcher Anurag Sen found a database containing iRent prospects’ full names, cellphone numbers and e mail addresses, house addresses, images of their drivers’ licenses, and partially redacted fee card particulars, on a Hotai-owned cloud server that was inadvertently accessible from the web.
As a result of the database was not password-protected, anybody on the web might entry the iRent buyer knowledge simply by realizing its IP tackle.
Sen mentioned the uncovered database additionally contained thousands and thousands of partial bank card numbers, and at the very least 100,000 buyer identification paperwork, in addition to selfies, signatures, and rental car particulars.
TechCrunch reviewed a portion of the uncovered knowledge and confirmed Sen’s findings. Web information by Shodan, a search engine for uncovered units and databases, present the database was spilling knowledge way back to Could 2022 and contained about 4.2 terabytes of information on the time it was secured.
TechCrunch despatched a number of emails this week to Hotai Motor with particulars of the uncovered database, however we didn’t obtain a reply. All of the whereas, the database was updating with new buyer knowledge in actual time.
On January 28, TechCrunch subsequently contacted Taiwan’s Ministry of Digital Affairs, the federal government division that regulates and oversees the nation’s web and telecoms, for assist in disclosing the safety lapse to the corporate. In an emailed response, Taiwan’s minister for digital affairs Audrey Tang advised TechCrunch that the uncovered database had been flagged with Taiwan’s nationwide laptop emergency response crew, often known as TWCERT/CC. Inside an hour, the uncovered iRent database grew to become inaccessible.
A short while later, Hotai Motor confirmed it had secured the database. “We had blocked the surface connection to this IP instantly.” Hotai mentioned that it could inform prospects whose knowledge was uncovered.
It’s not clear if anybody else, apart from Sen, discovered the database throughout the 9 months it was spilling knowledge.
It’s not the primary time a automobile rental firm has compromised its personal prospects’ knowledge. Again in 2017, Hertz unintentionally leaked the non-public knowledge of 36,000 prospects. France’s nationwide knowledge safety authority fined Hertz France €40,000 on the time as a result of the info was discovered to be simply accessible on-line.
