Taiwanese auto giant Hotai Motor exposed private customer data from its car rental and car-sharing division iRent until a security researcher found it online last week.
Even then, it took a week for the company to act — and intervention from the Taiwanese government.
Hotai Motor is one of the largest finance companies in Taiwan and the Taiwanese distributor for Toyota. iRent is a popular auto service app acquired by Hotai in 2022 that allows customers to pay by the hour to rent cars that are free-floating or available at the depot.
iRent is reported It has 1.1 million registered cars and 580,000 iRent users.
Security Inspector Anurag Sen iRent found a database on a Hotai-owned cloud server containing customers’ full names, cell phone numbers and email addresses, home addresses, photos of their driver’s licenses and partially redacted payment card details.
Since the database is not password protected, anyone on the Internet can access iRent customer data by knowing its IP address.
Chen said the exposed database contained millions of partial credit card numbers and at least 100,000 customer identification documents including selfies, signatures and rental vehicle details.
TechCrunch reviewed a portion of the exposed data and confirmed Chen’s findings. Web logs from Shodan, a search engine for exposed devices and databases, show that the database scattered data until May 2022 and contained about 4.2 terabytes of data at the time it was secured.
TechCrunch sent several emails to Hotai Motor this week with details of the exposed database, but we have not received a response. All the time, the database is updated with new customer data in real time.
On January 28, TechCrunch contacted Taiwan’s Ministry of Digital Affairs, the government department that regulates and oversees the country’s internet and telecommunications, to help the company disclose the security flaw. In an email response, Taiwan’s Minister of Digital Affairs Audrey Tang The exposed database was flagged with Taiwan’s National Computer Emergency Response Team, known as TWCERT/CC, told TechCrunch. Within an hour, the revealed iRent database could not be accessed.
After a while, Hotai Motor confirmed that it had secured the database. “We immediately blocked the external connection to this IP.” Hotai said it would inform which customers’ data was exposed.
It’s unclear whether anyone other than Chen discovered the database, which dumped the database over nine months.
This isn’t the first time a car rental company has compromised its own customers’ data. In 2017, Hertz accidentally leaked the personal data of 36,000 customers. France’s National Data Protection Authority Hertz France was fined 40,000 euros At that time the data was found to be easily accessible online.