An exposed database was discovered leaking the personal information of 26,000 North American Honda owners and their vehicles. The Elasticsearch database in question is owned by the American Honda Motor Co., a North American subsidiary of the Honda Motor Co.
The cloud misconfiguration exposed the full names, email addresses, mailing addresses and phone numbers of vehicle owners, as well as vehicle makes and models, VIN numbers, agreement IDs and other service information. The server also contained some internal logs and maintenance records.
“The records appear to have been exposed for over a week, which would have allowed malicious parties ample time to copy the data for their own purposes if they found it,” security researcher Bob Diachenko said in a Wednesday analysis. “We don’t know if any other unauthorized parties accessed the database while it was not secured.”
The database was a data-logging and monitoring server for telematics services for North America, covering the process for new customer enrollment as well as internal logs. It was discovered accessible online to anyone with a web browser.
Diachenko first discovered the unprotected database on Dec. 11 and notified Honda’s security team on Dec. 12. The server was shut down the next day.
While Diachenko estimated that there were 976 million total records in the database, Honda in a statement to the researcher said that there were roughly 26,000 unique consumer related records. This number was approximated by eliminating duplicate information and data that did not contain consumer PII (personal identifiable information), according to Honda.
“We quickly investigated this issue, determined the specific breach in protocol, and took immediate steps to address the vulnerability,” Honda said in a statement. “All data in this database is now secure. We can also say with certainty that there was no financial, credit card or password information exposed on this database.”
However, the server on which the database resides was misconfigured on Oct. 21, leaving the information open for the taking for a week. If malicious third parties were able to access the data, it could lead to an array of attacks – most notably, using the customer PII data for highly targeted phishing attacks, security experts said.
“While there is no evidence of this information being exfiltrated by malicious actors, Honda’s database was left exposed for more than a week,” Anurag Kahol, CTO at Bitglass, said in an email. “This is more than enough time for cybercriminals to discover, harvest and abuse the data. Unfortunately, the PII that was exposed includes full names, email addresses and phone numbers, all which can be used to launch highly targeted phishing attacks. This also leaves consumers vulnerable to identity theft, account hijacking and other types of cyberattacks well into the future.”
It’s only the latest security faux pas to hit Honda. In July, an unsecured database was found leaking crucial information about Honda’s global systems, including which devices aren’t up-to-date or protected by security solutions.
And in 2018, a Honda affiliate in India left two Amazon S3 buckets misconfigured for more than a year, affecting 50,000 users of the Honda Connect App, which is used to manage automobile service and maintenance. Honda was also affected by the WannaCry ransomware incident in 2017, which forced it to shut down production at one of its Japanese plants.
“Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations. We will continue to work on proactive security measures to prevent similar incidents in the future,” Honda said in its statement.
