Taiwan battles leaks of personal information in ride sharing apps
台灣租車應用程式中的個人資訊洩露
Ministry of Digital Development pledges help after suspected leak at Car-Plus
TAIPEI (Taiwan News) — A data breach is threatening yet another car rental agency in Taiwan, drawing the attention of politicians and help from government authorities tasked with protecting citizens’ personal data.
New Power Party legislator Chiu Hsien-chih (邱顯智) and technology engineer Wang Jinghong (王景弘) held a press conference at the legislature where they questioned Car-Plus Rental about their cloud storage security, warning that it was unsafe and could potentially reveal member data and order information to third parties, per CNA.
Car-Plus
In response, Car-Plus issued a press release today noting that it had closed its Go Smart app on Feb. 2, one hour after it learned of the potential breach of information, they immediately checked the database and found no abnormal queries or downloads.
While it found no irregularities, it did take the necessary steps and notified all 16,000 users registered with the app on Feb. 3 of the potential breach.
At present, the company uses encryption protection and has taken extra measures to ensure there is no disclosure of the personal information of its users. The company added that it takes the safety of personal data seriously and has strengthened relevant database safety in accordance with ISO-27001 information security verification which includes regular scanning and high-strength firewall mechanisms.
Legislators Chiu Hsien-chih and Wang Jinghong warned Car-Plus user information was at risk, with information related to some 100,000 transactions potentially leaked, and they called on the government to set up an organization as soon as possible to ensure the security of the personal data of all citizens.
iRent
Wang Jinghong explained that following the personal data leak associated with iRent, operated by Hotai, last week, yet another car rental service was at risk. He alleged that the mainframe server host does not implement proper identity verification, and cloud storage is not properly configured so all members' order information can be queried, including member name, date of birth, and ID card number.
Wang Jinghong said that according to a current security test, there are more than 100,000 PDF order data files that do not have any access restrictions, potentially putting more than 16,000 users at risk.
To compensate, iRent will prepare a compensation package for 400,000 at-risk clients from the recent leak, according to reports on Saturday (Feb. 4). Reports emerged that the data included names and addresses as well as information about driver’s licenses and payment details.
The number of users estimated to be affected by the data leaks over the past three months is thought to be 140,000, per UDN.
Government Response
Regarding the recent breach of personal information, Ministry of Digital Development, Deputy Minister Lee Huai-jen (李懷仁) said in a press release that according to the Personal Data Protection Law, personal data is under the supervision of the relevant authorities and suspected leakage or any information security incident can be immediately reported to the Taiwan Network Information Center (TWNIC), a consortium supervised by the Ministry of Digital Development.
Li pointed out the promotion of Zero Trust Architecture and a unified transmission standard (T-Road) can also contribute to improving data security.
As for private information security, the ministry has convened a meeting of e-commerce operators, with the potential to roll out strict requirements to monitor information security while at the same time subsidizing media information security operators to assist e-commerce operators to detect defects and seek improvements.
The Ministry of Digital Technology emphasized that in addition to the government's efforts to protect information security and personal data, it also requires the efforts of private organizations and everyone to work together to improve protection capabilities.
