Significant Data Exposure in Leading EV-Service Provider’s Database


Recently, WebsitePlanet reported about a concerning revelation: a non-password-protected database containing a staggering 573,309 records was exposed online. This trove included sensitive information such as invoices and customer data from a prominent American EV-services provider.

The surge in electric vehicle (EV) adoption has reshaped the automotive industry, driven by factors like environmental consciousness, government incentives, and technological advancements. As of 2023, approximately 2,442,270 electric vehicles are registered in the United States and 132,783 in Canada, underscoring the rapid growth of this sector. However, this expansion necessitates robust infrastructure, including charging stations both public and private.

The exposed database, comprising 585.81 GB of data, contained a myriad of documents ranging from work invoices to electrical permits and surveys, all submitted by customers. Further investigation revealed that the compromised data belonged to Qmerit, a Texas-based company specializing in EV charging infrastructure installation and maintenance.

Qmerit, North America’s leading provider in distributed workforce management for EV charging and other energy transition technologies, promptly responded to the disclosure, emphasizing their commitment to data security. Nevertheless, the duration of the exposure and potential unauthorized access remain unclear, warranting internal forensic scrutiny.

Among the exposed documents were customer names, addresses, and property details, necessitating stringent privacy safeguards. Mishandling of such sensitive information could expose homeowners to various risks, including unauthorized access and identity theft.

Moreover, the exposure of customer and contractor invoices raises concerns about potential fraudulent activities. Invoice fraud, a prevalent issue across industries, can inflict significant financial losses on businesses. While there’s no indication of specific risks to Qmerit’s clientele, vigilance against such threats is imperative.

Personal information leakage opens the door to identity theft and sophisticated forms of fraud. Cybercriminals could exploit this data to impersonate customers or contractors, perpetrating targeted phishing attacks. The inclusion of property images in the database further amplifies privacy concerns, potentially facilitating physical theft or social engineering schemes.

To mitigate these risks, customers and contractors are advised to scrutinize requests for sensitive information and rely on official communication channels. Meanwhile, companies should prioritize encryption, conduct regular security audits, and adhere to data-protection best practices.

It’s crucial to note that no wrongdoing is implied by Qmerit or their contractors. The intent is to raise awareness of potential risks and foster cybersecurity resilience. As ethical researchers, Fowler underscores the importance of responsible data handling and dissemination to bolster cybersecurity awareness and fortify defenses against malicious exploitation.