Data breach exposes EV drivers who recharged at Shell

Shell is currently conducting an investigation into a database breach that exposed the personal details of individuals who utilize their electric vehicle (EV) charging stations.

The discovery was made by a security researcher, who stumbled upon nearly one terabyte of log data pertaining to Shell Recharge, the company's extensive global network of hundreds of thousands of EV charging stations. The database had no password protection, rendering it accessible to anyone with an internet connection.

The compromised database contained millions of logs, with records containing names, email addresses, and phone numbers of fleet customers who availed themselves of the charging services. Additionally, the database revealed the names of fleet operators, enabling identification of organizations such as police departments that rely on the network to recharge their vehicles. Some entries even included vehicle identification numbers (VINs).

The database also disclosed the locations of Shell's EV charging stations, encompassing both public and private residential charging points. Notably, one of the exposed records contained the residential address of Greenlots CEO Andreas Lips.

It remains unclear how the database became publicly accessible or how long the data remained exposed. Ssome of the information within the database was as recent as 2023.

The researcher promptly contacted Shell after discovering the breach but received no response from the company. Subsequently news outlets intervened and notified Shell about the issue, prompting the database to become inaccessible shortly after.

Shell stated that they had taken measures to address and identify the breach in Shell Recharge Solutions data. No details are available as to the number of exposed individuals.