Taiwanese authorities have fined car rental and ride sharing giant iRent after TechCrunch revealed the company was spilling customers’ data and identity documents onto the open web for months.
According to local media reports, iRent, which is owned by Taiwanese auto conglomerate Hotai Motor, received two separate fines for failing to adequately protect the data of more than 400,000 customers.
In a press release on Thursday, Taiwan’s highways division under the transport ministry said iRent violated the country’s data protection rules and fined the company NT$200,000 (about $6,600). The company was also ordered to improve its security by the end of February or face further fines.
Meanwhile, the government of Taiwan’s capital city Taipei also imposed a maximum fine of NT$90,000 (about $3,000), for failing to “fulfill its management responsibilities,” for which the agency described the circumstances as “serious.”
The fines landed days after TechCrunch revealed that iRent left an exposed database containing reams of customer information on the internet but without a password. Security researcher Anurag Sen found the exposed database, but iRent took a week — and the swift intervention of the Taiwanese government — to respond. A short time after TechCrunch alerted Taiwan’s digital ministry about the company’s security lapse, the exposed database was secured.
The database contained customers’ full names, cell phone numbers, email and home addresses, partial credit card numbers, and at least 100,000 customer identification documents, as well as selfies, signatures, and rental vehicle details. The database was updating with new customer data in real-time.
Days after the database was secured, Taiwanese government inspectors were sent to investigate the company, and found that iRent did not have an adequate security plan in place.
“The bureau will continue to urge motor transport operators to implement user personal information protection and corporate social responsibility to protect consumer rights,” said Taiwan’s highways division in a statement.
Following the incident, Taiwan’s vice premier Cheng Wen-tsan said that the fine against iRent was “too light,” and that the government planned to propose a law amendment aimed at increasing fines by ten-fold for private companies found to have spilled people’s personal information.