Taiwanese automobile conglomerate Hotai Motor exposed reams of personal data on customers of its car sharing and rental unit, iRent, until a security researcher found the data online a few weeks ago.
Even so, it took the company a week - and the intervention of the Taiwanese government - to act.
Hotai Motor is one of the largest financial holding companies in Taiwan, and also the Taiwanese distributor for Toyota. iRent is a popular car service app, bought by Hotai in 2022, which allows customers to pay by the hour to rent cars that can be found free or in storage.
Apparently iRent has more than 1,1 million registered cars and 580.000 users.
Security researcher Anurag Sen discovered a database containing the full names, mobile phone numbers and email addresses, home addresses, driver's license photos, and partially redacted payment card details of iRent customers. , on a Hotai-owned cloud server that could be inadvertently accessed from the Internet.
Since the database was not password protected, anyone on the Internet could access the data from the iRent customers just knowing in IP direction.
According to Sen, the exposed database also contained millions of partial credit card numbers and at least 100.000 customer identification documents, as well as selfies, signatures and rental vehicle data.
Internet searches conducted by Shodan, a search engine for exposed devices and databases, show that the database was leaking data as far back as May 2022 and contained some 4,2 terabytes of data at the time it was secured. It's unclear if anyone other than Sen found the database during the nine months he was dumping data.
It is not the first time that a car rental company has endangered the data of its own customers. Already in 2017, Hertz accidentally leaked the personal data of 36.000 customers. The French national data protection authority fined Hertz France 40.000 euros because the data was easily accessible online.
