CloudDefense.AI Discovers Critical Security Data Breach for Oil Giant Shell

Anurag Sen
9 Jun
2 min read

CloudDefense.AI, a cybersecurity company, uncovered a critical data leak affecting Shell, the oil giant. The breach exposed the personal information of electric vehicle (EV) drivers, including the Greenlots CEO's personal details. 

During the investigation, CloudDefense’s security researcher discovered an unprotected internal database linked to Shell Recharge. This extensive database contained nearly a terabyte of logging data related to Shell's vast network of EV charging stations, which it obtained, in part, through the acquisition of Greenlots in 2019. Greenlots had been providing EV charging services and technology to customers with vehicle fleets.

The database, hosted on Amazon's cloud infrastructure, comprised millions of logs containing sensitive customer information. Disturbingly, the lack of password protection meant that anyone with internet access could freely browse and access the data.

TechCrunch, upon examining the leaked information, found that it included names, email addresses, and phone numbers of fleet customers utilizing Shell's EV charging network. Furthermore, the database disclosed the names of fleet operators, which allowed for the identification of organizations, such as police departments, with vehicles reliant on the charging network. Some of the compromised data even included vehicle identification numbers (VINs).

In addition to customer data, the exposed database unveiled the locations of Shell's EV charging stations, encompassing both public and private residential charging points. Notably, TechCrunch identified a record containing the residential address of Greenlots CEO Andreas Lips among the exposed information.

The cause and duration of the database's exposure remain unclear, although some of the compromised data was as recent as 2023. Upon discovering the breach, CloudDefense's security researcher Anurag Sen promptly notified Shell. However, when he did not receive a response, he alerted TechCrunch, who then contacted Shell on his behalf. Shortly after being contacted by TechCrunch, Shell took action to render the database inaccessible.

Shell spokesperson Anna Arata acknowledged the incident and stated that Shell had implemented measures to contain and identify the exposure of Shell Recharge Solutions data. The company is actively investigating the matter, continuously monitoring their IT systems, and will take necessary actions accordingly.

Anurag Sen
Anurag Sen (twitter @hak1mlukha) is a renowned cybersecurity expert known for his successful identification of exposed data from major companies like Amazon, Hotai Motor, PeopleGrove, and JusTalk. Notably, he recently discovered a database containing sensitive U.S. military emails belonging to the U.S. Special Operations Command, solidifying his expertise in tackling complex cybersecurity challenges.