Hotai Motor has exposed thousands of iRent customer documents • businessroundups.org

Taiwanese automotive conglomerate Hotai Motor exposed large amounts of personal customer data from its car rental and car-sharing unit, iRent, until a security researcher found the data online last week.

Even then, it took the company a week — and the intervention of the Taiwanese government — to act.

Hotai Motor is one of the largest financial holding companies in Taiwan, and also Toyota’s Taiwanese distributor. iRent is a popular car service app, purchased by Hotai in 2022, that allows customers to pay by the hour to rent cars that can be found free-floating or at a depot.

I rent Reportedly has more than 1.1 million registered cars and 580,000 iRent users.

Security researcher Anurag Sen discovered a database of iRent customers’ full names, mobile phone numbers and email addresses, home addresses, photos of their driver’s licenses, and partially redacted payment card information, on a Hotai cloud server that was inadvertently accessed over the Internet.

Since the database was not password protected, anyone on the internet could access the iRent customer data by knowing the IP address.

Sen said the exposed database also contained millions of partial credit card numbers and at least 100,000 customer identification documents, as well as selfies, signatures and rental car details.

businessroundups.org has reviewed some of the exposed data and confirmed Sen’s findings. Internet records from Shodan, a search engine for exposed devices and databases, show that the database was circulating data as early as May 2022 and contained about 4.2 terabytes of data at the time it was secured.

businessroundups.org sent several emails to Hotai Motor this week detailing the exposed database, but we received no response. All the while, the database was updated in real time with new customer data.

businessroundups.org then contacted Taiwan’s Ministry of Digital Affairs, the government department that regulates and oversees the country’s Internet and telecommunications, on Jan. 28 for assistance in disclosing the vulnerability to the company. In an email reply, Taiwan’s digital affairs minister said Audrey Tang told businessroundups.org that the exposed database was marked with Taiwan’s National Computer Emergency Response Team, known as TWCERT/CC. Within an hour, the exposed iRent database was inaccessible.

A short time later, Hotai Motor confirmed that it had secured the database. “We immediately blocked the remote connection to this IP address.” Hotai said it would inform customers whose data has been made public.

It’s not clear if anyone other than Sen found the database during the nine months that data was spilled.

It is not the first time that a car rental company has compromised its own customers’ data. In 2017, Hertz accidentally leaked the personal information of 36,000 customers. France’s national data protection authority imposed a fine on Hertz France of €40,000 at the time because the data turned out to be easily accessible online.