Rent Go exposes over 160K customer passports, driver’s licenses

The Turkey-based car rental service left an open Azure Blob Storage, revealing hundreds of thousands of document images that customers submitted to use the company’s service.

With the travel season approaching, many holiday-goers will start booking car rentals abroad. However, submitting ID documents to these services may come at a price, as the latest discovery from the Cybernews research team shows.

For example, Rent Go, one of Turkey’s largest car rental companies, has likely inadvertently exposed hundreds of thousands of its customers. The team discovered an exposed Azure Blob instance with over 322,000 records containing either passport or driver’s license details.

Since the number of records represents documents copied from both sides, the number of exposed documents is half that and stands at a tad over 161K.

Businesses employ Azure Blob to store large amounts of frequently updated data, such as a repository to store customer-submitted ID records.

RentGo Sample
Sample of the leaked data. Image by Cybernews.

The team discovered the open instance in early November 2023 and contacted the company on the same day. We have reached out to Rent Go for official comment but did not receive a reply before publishing this article.

Our researchers surmise that the instance had been exposed for at least a month prior to the discovery. Moreover, despite the team’s efforts to inform the company about the issue, Rent Go did not secure the exposed Azure Blob.

The information contained in the exposed instance corresponds with the necessary documentation that rental service customers are expected to submit to receive the service, namely, identification documents such as government-issued ID or driver’s license.

RentGo Sample2
Sample of the leaked data. Image by Cybernews.

The instance contains documents submitted from August 2019 and is updated in real-time, which means that likely anyone who has used Rent Go services over the past 4.5 years has had their data exposed.

While most of the exposed data appears to belong to Turkish citizens, EU citizen documents are also present in the exposed instance.

“This leak poses a significant threat as malicious actors could potentially engage in identity theft, fraudulent activities, or even sell documents on the dark web, leading to severe financial and personal security implications for the affected customers,” researchers said.

Istanbul-headquartered Rent Go operates 65 branches in over 20 cities throughout Turkey. The company claims to employ over 1,000 people.

More from Cybernews:

Shopify plugins leaked data from nearly 2K stores

Finland joins nations blaming China for hacks

Apple users face barrage of MFA bombing attacks

Thousands of ASUS routers targeted by cybercriminals

Facebook may have exploited user devices to spy on competitors, documents show

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked