Taiwanese automotive conglomerate Hotai Motor released a large amount of private customer data from iRent, the company’s car rental and car-sharing arm, until security researchers discovered the data online last week.
Still, it took the company a week to respond, and the Taiwanese government intervened.
Hotai Motor is one of Taiwan’s largest financial holding companies and Toyota’s distributor in Taiwan. iRent is a popular car service app and in 2022 he was acquired by Hotai. This allows customers to pay an hourly rate to rent a car found at a free floating or depot.
iRent has over 1.1 million vehicles registered and is said to have 580,000 iRent users.
On a cloud server owned by Hotai, security researcher Anurag Sen found iRent customers’ names, mobile phone numbers and email addresses, home addresses, driver’s license photos, and partially redacted payment card details. I found a database containing the internet.
Because the database was not password protected, anyone on the Internet could access iRent’s customer data simply by knowing their IP address.
The exposed database also contained millions of partial credit card numbers, at least 100,000 customer identification documents, selfies, signatures and car rental details, Sen said.
TechCrunch reviewed some of the published data to confirm Sen’s findings. Internet records of him by Shodan, a search engine for exposed devices and databases, show that the database leaked data dating back to his May 2022 and contained approximately 4.2 terabytes of data at the time it was secured. indicates that
TechCrunch has sent Hotai Motor several emails this week containing details of the exposed database, but has not received a response. All the while, the database was updated in real time with new customer data.
TechCrunch then contacted Taiwan’s Ministry of Digital, the government department that regulates and oversees Taiwan’s internet and telecommunications, on January 28, asking the company for help in disclosing the security revocation. Taiwan’s Minister of Digital Affairs Audrey Tan told TechCrunch in an email that the exposed database had been flagged by Taiwan’s National Computer Emergency Response Team, known as TWCERT/CC. I can no longer access my iRent database.
After some time, Hotai Motor confirmed that it had secured its database. “We immediately blocked external connections to this IP.” Hotai said it will notify customers whose data has been exposed.
It’s not clear if anyone other than Sen discovered the database during the nine months it was leaked.
This isn’t the first time a car rental company has compromised their customer data. In 2017, Hertz accidentally leaked the personal data of 36,000 of his customers. France’s National Data Protection Agency found that the data was easily accessible online, so at the time Hertz France he fined him €40,000.