Shell Recharge security breach exposed EV driver data

Oil giant Shell said it was investigating after a security researcher discovered an exposed internal database containing the personal details of drivers who use the company’s electric vehicle charging stations.

security researcher Anurag Sen found an online database containing nearly a terabyte of log data relating to Shell Recharge, the company’s global network of hundreds of thousands of electric vehicle charging stations, which it acquired in part from of Greenlots in 2019. Greenlots provided electric vehicle (EV) charging services and technologies for customers operating vehicle fleets.

The internal database, hosted on Amazon’s cloud, contained millions of logs, Sen said, including details of customers who used the EV charging network. The database had no password, allowing anyone on the Internet to access its data from their web browser.

The data, seen by TechCrunch, contained the names, email addresses and phone numbers of fleet customers who use the EV charging network. The database included the names of fleet operators, which identified organizations – such as police departments – with vehicles that charge on the network. Some of the data included vehicle identification numbers, or VINs.

Sen said the database also contains the locations of Shell’s electric vehicle charging stations, including private residential charging points. One of the exposed records seen by TechCrunch contained a residential address belonging to Greenlots CEO Andreas Lips.

It’s unclear what made the database publicly exposed, or how long the data has been public – although some information is as recent as 2023.

Sen said he contacted Shell after discovering the exposed database. TechCrunch alerted Shell after Sen said he hadn’t heard back from the company. Shortly after TechCrunch contacted Shell, the database became inaccessible.

Shell spokeswoman Anna Arata told TechCrunch in a statement, “Shell has taken steps to contain and identify an exposure of Shell Recharge Solutions data. We are investigating the incident, continue to monitor our IT systems and will take any necessary future action as a result.

Sen has previously found exposed data belonging to Amazon, Hotai Motor, PeopleGrove and JusTalk. Earlier this year, Sen discovered a database containing sensitive US military emails belonging to the US Special Operations Command.