iRent, a car-sharing service under Hetai Group and cloud mobile service, had a large amount of personal customer data leaked earlier, at least 100,000 customer identity documents and signatures were leaked, which even alarmed Tang Feng, the head of the digital development department.

Heyun Mobile Services also issued a statement of apology today, and proposed responses and solutions to the relevant situation.

Related news:

Foreign media broke the news: 100,000 customers' personal information in iRent database leaked

Please read on...

Foreign media "Techcrunch" reported that information security officer Anurag Sen found a data database on a cloud server owned by Hetai, and the detailed information of at least 100,000 customers was exposed on the Internet.

Techcrunch also checked the exposed data to corroborate the Anurag Sen investigation, which had leaked data as far back as May 2022.

Heyun Mobile Service stated that the doubts about the outflow of members' personal information recently occurred, which caused uneasiness among consumers and social concern, and I would like to apologize to the public.

The reason for this incident is that "the temporary database used internally to record the application program log file, because the external connection is not properly blocked, the database may be accessed by external professional information personnel using specific tools and techniques to query the database. Three-month member change data." The temporary database has recorded personal information including member name, phone number, address, masked credit card information (to eliminate doubts about fraudulent credit card), ID card, birthday, Email, emergency contact, The uploaded photo files (encoded) by applicant members may be subject to external inquiries. iRent has notified risky users to pay attention, and has commissioned an external professional information security company to monitor whether any member information is leaked. The brand expresses its deepest apology. 

   Regarding the protective gap in the temporary database, iRent received a notification on 1/28 (Sat) for 1 hour to prevent the gap. Thanks to all parties for their guidance and advice. The system has completed the information security strengthening protection and risk management mechanism, except The Highway Administration of the Ministry of Communications immediately dispatched staff to conduct administrative inspections, Taipei City Transportation Bureau, New Taipei City Transportation Bureau and other competent authorities have actively counseled and raised concerns on the spot for many times. iRent is highly grateful and humbly accepts.

Heyun Mobile Services also issued a statement of apology today, and proposed responses and solutions to the relevant situation.

After several days of investigation, iRent initially discovered and reported that "140,000 users may be affected in the past three months", but based on the attitude of cherishing the rights of members and actively preventing fraud, it decided to increase the principle of information security protection and actively expand the number of users. The definition of "personal data risk object" is adjusted to "all 400,100 users who have been involved in potential risks since the temporary database was launched", all of which are included in the scope of this correspondence; for users in this scope, on 2/1 (Wednesday) Email notifications have been sent in the evening, and hour compensation will be provided on 2/2 (Thursday); an announcement will also be made on the official website to remind all members to be aware of potential fraud risks, and at the same time assign special personnel to continuously monitor whether members' personal information has been violated.

Subsequent iRent not only performs host system vulnerability scanning and penetration scanning, but also scans the source code of the App part to ensure that the customer's transaction process is fully encrypted with SSL security, and starts to pack.

In addition to reporting the improvement plan to the competent authority, we will cooperate with third-party professional information security units to conduct incident investigations, upgrade information security protection with the highest standards, and manage user data with a more rigorous attitude, properly keep and use them.

The following is Heyun Mobile Service's response to this situation:

1. No customer personal information has been defrauded or used fraudulently, but the brand has comprehensively proposed a condolence plan

After the statement was released on the official website and APP on 1/31 and 2/1, the risky customers were notified by email on the evening of 2/1, and the hour discount coupons were given as condolences. At this time, no member information was defrauded or fraudulent use, resulting in substantial losses to consumers.

2. Expand the number of identified potentially affected members

After an investigation, iRent initially found that 140,000 users may be affected. However, based on the principle of the highest protection of information security, and to ensure the consumption rights of members and prevent fraud, the "temporary database" has been expanded to identify individuals with personal risk Since the launch, all the more than 400,000 users that may be affected have been included in this corresponding scope." For users in this range, an email notification will be sent on the evening of 2/1; and an announcement will be made on the official website to remind all members to be aware of potential fraud risks ; The brand also continues to monitor whether members' personal information has been violated.

3. The number of customer service inquiries by members has a downward trend after the statement is issued

The statistics of members' incoming iRent customer service inquiries peaked at the moment when the incident was exposed, and decreased to only a dozen or so after the brand statement was issued.

4. There is no risk of outflow of important financial information of members

The temporary storage database of iRent where there is a security gap, only saves the masked credit card information (such as partial credit card numbers), and the complete card number information is stored on the bank side, without any worries or risks of leakage. 

5. The importance of personal information security control

Bank financial holdings, e-commerce platforms, shopping websites, etc. (even public organizations themselves) have experienced personal capital outflows. How to jointly monitor and control information security between enterprises and the government is a top priority, and how to further cultivate technical talents in the IT industry. It also requires the joint efforts of the industry, government and academia. 

Become a fan and watch more car information -> "Free Times Auto Channel Fan Group"

Mazda's main SUV CX-5 is in doubt

Tesla Model Y Taiwan's big price cuts Second-hand car dealers are now losing more than 200,000