Hotai Motor exposed thousands of iRent customer documents

Taiwanese automotive conglomerate Hotai Motor exposed reams of personal customer data from its car rental and carshare unit, iRent, until a security researcher found the data online last week.

Even then, it took the company a week — and the intervention of the Taiwanese government — to act.

Hotai Motor is one of the largest financial holdings companies in Taiwan, and also the Taiwanese distributor for Toyota. iRent is a popular auto service app, bought by Hotai in 2022, which allows customers to pay hourly to rent cars that can be found either free-floating or at a depot.

iRent reportedly has over 1.1 million registered cars and 580,000 iRent users.

Security researcher Anurag Sen discovered a database containing iRent customers' full names, cell phone numbers and email addresses, home addresses, photos of their drivers' licenses, and partially redacted payment card details, on a Hotai-owned cloud server that was inadvertently accessible from the internet.

Because the database was not password-protected, anyone on the internet could access the iRent customer data just by knowing its IP address.

Sen said the exposed database also contained millions of partial credit card numbers, and at least 100,000 customer identification documents, as well as selfies, signatures, and rental vehicle details.

TechCrunch reviewed a portion of the exposed data and confirmed Sen's findings. Internet records by Shodan, a search engine for exposed devices and databases, show the database was spilling data as far back as May 2022 and contained about 4.2 terabytes of data at the time it was secured.

TechCrunch sent several emails this week to Hotai Motor with details of the exposed database, but we did not receive a reply. All the while, the database was updating with new customer data in real time.

On January 28, TechCrunch subsequently contacted Taiwan's Ministry of Digital Affairs, the government department that regulates and oversees the country's internet and telecoms, for help in disclosing the security lapse to the company. In an emailed response, Taiwan's minister for digital affairs Audrey Tang told TechCrunch that the exposed database had been flagged with Taiwan's national computer emergency response team, known as TWCERT/CC. Within an hour, the exposed iRent database became inaccessible.

A short time later, Hotai Motor confirmed it had secured the database. "We had blocked the outside connection to this IP immediately." Hotai said that it would inform customers whose data was exposed.

It's not clear if anyone else, other than Sen, found the database during the nine months it was spilling data.

It’s not the first time a car rental company has compromised its own customers' data. Back in 2017, Hertz accidentally leaked the personal data of 36,000 customers. France’s national data protection authority fined Hertz France €40,000 at the time because the data was found to be easily accessible online.