An iRent vehicle is parked in a roadside parking spot in an undated photograph. Photo: Cheng Wei-chi, Taipei Times

NO PASSWORD: The data of 100,000 users of the platform might have been accessible since May, a security researcher told a US tech Web site

Staff writer, with CNA

The Ministry of Digital Affairs has blocked access to a database that contained the personal information of up to 100,000 iRent users, after it was found that the data were unprotected, a senior ministry official said yesterday.

The statement came after US Web site TechCrunch on Tuesday reported that a database containing iRent data “was inadvertently accessible from the Internet.”

It was on a cloud server owned by Taiwanese automotive conglomerate Hotai Motor Co, it said.

“Because the database was not password-protected, anyone on the Internet could access the iRent customer data just by knowing its IP address,” the report said.

The databank contained the names, mobile phone numbers, e-mail addresses, home addresses, drivers' license photographs and partly redacted payment card information of customers of iRent, a vehicle rental and sharing platform.

TechCrunch said security researcher Anurag Sen discovered the exposed database, adding that it had reviewed part of it and confirmed Sen's findings.

It said it sent several e-mails to Hotai Motor about the exposed database, but did not receive a reply.

It said it also contacted the ministry, which took action to deal with the situation.

Deputy Minister of Digital Affairs Lee Huai-jen confirmed that Minister of Digital Affairs Audrey Tang was informed about the exposed databank by a foreign media organization during the Lunar New Year holiday.

Tang referred the case to the Taiwan Computer Emergency Response Team Coordination Center, a unit operated by the ministry-affiliated Taiwan Network Information Center, because it was an information security incident involving a private company, Lee said.

The center blocked outside access to the database, he added.

Hotai Motor's mobile services unit said in a statement that it had addressed the exposed database “at the first moment” and reinforced its security.

A full-scale check of related systems and an investigation into the case shed light on the possible impact of the data spillage, the company said, without elaborating.

Security checks on the iRent system have been conducted regularly, it said, adding that iRent transactions are protected under the Secure Sockets Layer protocol.

Chinese-language media reported that iRent has nearly 1.4 million members and that the company hopes to raise that number to 1.8 million this year, while increasing the number of vehicles from 2,000 to 9,000.

The TechCrunch report cited Sen as saying that the exposed database contained millions of partial credit card numbers and at least 100,000 customer identification documents, as well as selfies, signatures and rental vehicle details.

It also said the database had been unprotected since May last year, adding that it was unclear whether any unauthorized party had accessed it.

News source: TAIPEI TIMES