Digital ministry helps contain iRent data leaks

Taipei, Feb. 1 (CNA) The Ministry of Digital Affairs (MODA) has taken action to secure a database that contained the personal information of tens of thousands of iRent users after it was found to have been left unprotected, a senior ministry official said Wednesday.

Foreign tech media Tech Crunch reported Tuesday that the database was on a cloud server owned by Taiwanese automotive conglomerate Hotai Motor Co., Ltd. that "was inadvertently accessible from the internet."

"Because the database was not password-protected, anyone on the internet could access the iRent customer data just by knowing its IP address," the report said.

The databank contained the names, mobile phone numbers, email addresses, home addresses, drivers' license photos, and partially redacted payment card details of the customers of iRent, a popular car rental and automobile/motorcycle-sharing services platform in Taiwan.

Tech Crunch further said it had reviewed a portion of the exposed data and confirmed the findings of security researcher Anurag Sen, who first discovered the exposed databank.

It said it sent several emails to Hotai Motor about the exposed database, without receiving a reply, and contacted the MODA, which it said took action to deal with the situation, according to the report.

Asked about the issue, Deputy Digital Affairs Minister Lee Huai-jen (李懷仁) confirmed that Minister Audrey Tang (唐鳳) was informed of the data leaks by a foreign media outlet during the Jan. 20-29 Lunar New Year holiday.

Because it was an information security incident involving a private company, Tang transferred the case to the Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC), which is run by the MODA-affiliated Taiwan Network Information Center, Lee said.

The center eventually blocked outside access to the database.

In a statement released by Hotai Motor's mobile services unit, meanwhile, the company said it addressed the data leak problem "at the first moment" and moved to reinforce the security of the database.

A full-scale check of related systems and an investigation into the case shed light on the possible impact of the data spillage, the company said, without elaborating.

It said only that security checks on the iRent system have been conducted regularly and that every transaction is protected under the Secure Sockets Layer (SSL) mechanism.

According to local media reports, iRent has nearly 1.4 million members, and is hoping to raise that number by 30 percent to 1.8 million in 2023 while increasing the number of automobiles for sharing from 2,000 vehicles to 9,000.

The Tech Crunch report cited Sen as saying that the exposed database contained millions of partial credit card numbers, and at least 100,000 customer identification documents, as well as selfies, signatures, and rental vehicle details.

It also said the database had been spilling data since May 2022 but added that it was not clear if anyone else other than Sen had found the database.