Taiwanese automotive conglomerate Hotai Motor uncovered reams of non-public buyer knowledge from its automotive rental and carshare unit, iRent, till a safety researcher discovered the information on-line final week.
Even then, it took the corporate per week — and the intervention of the Taiwanese authorities — to behave.
Hotai Motor is likely one of the largest monetary holdings firms in Taiwan, and likewise the Taiwanese distributor for Toyota. iRent is a well-liked auto service app, purchased by Hotai in 2022, which permits prospects to pay hourly to lease automobiles that may be discovered both free-floating or at a depot.
iRent reportedly has over 1.1 million registered automobiles and 580,000 iRent customers.
Safety researcher Anurag Sen found a database containing iRent prospects’ full names, mobile phone numbers and e mail addresses, residence addresses, images of their drivers’ licenses, and partially redacted fee card particulars, on a Hotai-owned cloud server that was inadvertently accessible from the web.
As a result of the database was not password-protected, anybody on the web may entry the iRent buyer knowledge simply by understanding its IP handle.
Sen stated the uncovered database additionally contained tens of millions of partial bank card numbers, and at the least 100,000 buyer identification paperwork, in addition to selfies, signatures, and rental automobile particulars.
robotechcompany.com reviewed a portion of the uncovered knowledge and confirmed Sen’s findings. Web data by Shodan, a search engine for uncovered gadgets and databases, present the database was spilling knowledge way back to Might 2022 and contained about 4.2 terabytes of information on the time it was secured.
robotechcompany.com despatched a number of emails this week to Hotai Motor with particulars of the uncovered database, however we didn’t obtain a reply. All of the whereas, the database was updating with new buyer knowledge in actual time.
On January 28, robotechcompany.com subsequently contacted Taiwan’s Ministry of Digital Affairs, the federal government division that regulates and oversees the nation’s web and telecoms, for assist in disclosing the safety lapse to the corporate. In an emailed response, Taiwan’s minister for digital affairs Audrey Tang advised robotechcompany.com that the uncovered database had been flagged with Taiwan’s nationwide laptop emergency response staff, often called TWCERT/CC. Inside an hour, the uncovered iRent database turned inaccessible.
A short while later, Hotai Motor confirmed it had secured the database. “We had blocked the skin connection to this IP instantly.” Hotai stated that it might inform prospects whose knowledge was uncovered.
It’s not clear if anybody else, aside from Sen, discovered the database throughout the 9 months it was spilling knowledge.
It’s not the primary time a automotive rental firm has compromised its personal prospects’ knowledge. Again in 2017, Hertz by chance leaked the non-public knowledge of 36,000 prospects. France’s nationwide knowledge safety authority fined Hertz France €40,000 on the time as a result of the information was discovered to be simply accessible on-line.
