Shell is investigating after a security researcher identified an exposed internal database, including drivers’ data from its electric vehicle charging stations.
Security researcher Anurag Sen identified a database with nearly a terabyte of logging data from Shell Recharge, the company’s worldwide network of hundreds of thousands of electric vehicle charging stations, which it bought partly from Greenlots in 2019. Greenlots offers EV charging services and technologies to fleet operators.
Sen said the Amazon-hosted internal database had millions of logs, including EV charging network customers’ information. Web browsers could access the database’s data without a password.
TechCrunch saw fleet customers’ names, emails, and phone numbers who utilize the EV charging network. Fleet operators—like police departments—with vehicles that recharge on the network were listed in the database. VINs were included.
Sen said the database included Shell’s EV charging stations, including residential ones. TechCrunch found Andreas Lips’ address in a leaked record. The database’s public exposure is unclear, but some data is from 2023.
Sen informed Shell of the vulnerable database. After Sen didn’t hear from Shell, TechCrunch notified them. The database went offline when TechCrunch contacted Shell.
Shell representative Anna Arata told TechCrunch: “Shell has taken steps to contain and identify an exposure of Shell Recharge Solutions data. We are researching, monitoring our IT systems, and will take any necessary actions.”
Sen discovered Amazon, Hotai Motor, PeopleGrove, and JusTalk data. Sen found a U.S. Special Operations Command email database earlier this year.