Leading EV Charging Firm Spills Trove of Customer Info in Server Leak

Cybersecurity researcher Jeremiah Fowler has uncovered a troubling data exposure incident, yet again drawing attention to broader concerns surrounding data security. Fowler, in collaboration with WebsitePlanet, uncovered a non-password-protected database containing over half a million records, including sensitive customer information and invoices from a prominent American EV services provider.

The exposed database, totalling 585.81 GB in size, contained a trove of documents such as work invoices, price proposals, electrical permits, and surveys, alongside customer-submitted information including images of their homes and charger location details.

According to Fowler’s blog post, upon investigation, he identified the data as belonging to Qmerit, a Texas-based company specializing in EV charging infrastructure installation and maintenance since 2016.

Following the responsible disclosure by Fowler, Qmerit swiftly took action to secure the exposed data and initiate an internal investigation. In response to the incident, Qmerit emphasized its commitment to prioritizing security and protecting Personally Identifiable Information (PII). However, the duration of the data exposure and potential unauthorized access remain uncertain, warranting further scrutiny through internal forensic audits.

Fowler clarified that his findings do not imply wrongdoing on Qmerit’s part or suggest imminent threats to customer or contractor safety. However, the incident must be taken as a lesson surrounding the importance of vital data protection measures in protecting customer privacy and maintaining trust in the market.

Despite this incident, Qmerit continues to position itself as a leading player in North America’s EV services industry, boasting partnerships with major automakers and a track record of over 269,000 EV charger installations.