iRent Taiwan customer data exposure
An unsecured, password-free cloud database belonging to Hotai Motor's iRent car-sharing service exposed roughly 4.2 terabytes of data on more than 400,000 customers, including driver's-license photos, selfies, and partial payment-card details.
- Victim
- iRent (Hotai Motor)
- records
- 400.0K
- users
- 400.0K
In late January 2023, security researcher Anurag Sen discovered that iRent, the car-sharing and short-term rental platform operated by Taiwanese auto conglomerate Hotai Motor, had left a customer database wide open on the internet. The unsecured server had reportedly been exposed since around May 2022, leaking sensitive personal data on more than 400,000 customers.
What happened
The database sat on a Hotai-owned cloud server with no password protection. Anyone who knew β or scanned for β its IP address could read the contents directly, with no credentials required. There was no hacking and no exploit; the data was simply misconfigured to face the public internet.
At the time it was secured, the database held roughly 4.2 terabytes of information. Exposed fields included customers' full names, mobile phone numbers, email addresses, and home addresses, along with photos of drivers' licenses, selfies, signatures, rental-vehicle details, and partially redacted payment-card numbers. Researchers counted at least 100,000 identity documents among the records.
Impact
- More than 400,000 customers who had registered with iRent had personal data exposed.
- The combination of government-issued ID photos, selfies, and contact details created acute risk of identity theft and scam targeting β a particular concern in Taiwan given the prevalence of fraud rings.
- iRent publicly apologized and offered affected users free rental hours as compensation.
Regulatory response
Taiwanese regulators reacted, but the penalties drew criticism for their modest size. The highways division of the Ministry of Transportation and Communications fined iRent NT$200,000 (about $6,600), and the Taipei city government imposed its statutory maximum of NT$90,000 (about $3,000). Both fines together amounted to less than $10,000 for a breach affecting hundreds of thousands of people.
Why it matters
The iRent exposure became a flashpoint in a wave of mass data leaks that prompted soul-searching about Taiwan's cybersecurity and data-protection regime. Commentators noted that Taiwan's existing penalties were too weak to deter negligent custodianship of personal data, and the episode added momentum to calls for a dedicated personal-data protection authority and stiffer fines β reforms Taiwan subsequently advanced. It also reinforced a global lesson: the most damaging breaches are often not sophisticated intrusions but basic cloud misconfigurations that leave terabytes of sensitive records one IP address away from anyone.
Timeline
iRent's customer database is left exposed on an internet-facing, password-free Hotai-owned cloud server.
Security researcher Anurag Sen discovers the open database; TechCrunch reports the exposure after Hotai is contacted.
Taiwan's Ministry of Transportation and Communications blocks public access to the exposed database.
iRent publicly apologizes and pledges to compensate affected users with free rental hours.
Taiwan's highways division fines iRent NT$200,000 and the Taipei city government imposes its maximum NT$90,000 penalty.
Sources
- techcrunch.comhttps://techcrunch.com/2023/01/30/hotai-motor-exposed-irent-customer-data/
- techcrunch.comhttps://techcrunch.com/2023/02/10/taiwan-irent-exposed-data/
- taipeitimes.comhttps://www.taipeitimes.com/News/taiwan/archives/2023/02/06/2003793818
- thediplomat.comhttps://thediplomat.com/2023/02/mass-data-leaks-sound-alarm-about-taiwans-cybersecurity/