TAIPEI (Taiwan News) — An unsecured database of iRent, a car rental and carshare service run by Hotai Motor, has for the past nine months exposed users’ personal information online until a security researcher discovered the fact in January, reports said Tuesday (Jan. 31).

TechCrunch reported that the cloud server contained 4.2 terabytes of user data including names, phone numbers, addresses, driver's licenses, and payment details. As the server was not password protected, the data was left open for anyone who knew its IP address to access.

Furthermore, the database had been exposed since as early as May 2022. When TechCrunch contacted Hotai Motor during the Lunar New Year holiday regarding the issue, the company failed to respond.

It was not until TechCrunch contacted the Ministry of Digital Affairs on Saturday (Jan. 28) that Minister Audrey Tang (唐鳳) emailed to say the Taiwan Computer Emergency Response Team / Coordination Center had been notified of the incident. According to TechCrunch, the database became inaccessible within an hour of Tang’s reply.

iRent wrote in a statement later that it had blocked unauthorized access to the IP “immediately” and conducted a thorough system inspection to verify the scope of the leak. It added it would notify its customers of the data leak.

The Directorate General of Highways (DGH) at the Ministry of Transportation and Communications on Wednesday (Feb. 1) wrote in a press release that it will investigate whether the company had legally required security maintenance plans and whether it reported the incident according to regulations. Additionally, it sent an inspector to iRent to audit the company’s administration for any Personal Data Protection Act violations, which could result in fines between NT$20,000 (US$670) and NT$200,000.