Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Data of Honda Owners in North America Exposed Online

An Elasticsearch cluster containing information on Honda owners in North America was recently found to be accessible from the Internet without any authentication.

Discovered on December 11, 2019, by security researcher Bob Diachenko, the database was part of Honda North America infrastructure and it contained 976 million records.

An Elasticsearch cluster containing information on Honda owners in North America was recently found to be accessible from the Internet without any authentication.

Discovered on December 11, 2019, by security researcher Bob Diachenko, the database was part of Honda North America infrastructure and it contained 976 million records.

Of these, around 1 million records were found to include information about Honda owners and their vehicles, but the researcher said he was not able to confirm the exact number of unique customer records in the database.

The database stored names, contact details, and vehicle information, all of which could be accessed without a password. The company secured the server within hours after being notified, the researcher says.

Honda told the researcher that the leak involved a data logging and monitoring server for telematics services. The car maker also said that the estimated number of impacted customers was roughly 26,000.

“We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII. […] The server on which the database resides was misconfigured on October 21, 2019,” Honda said.

The car maker also told Diachenko that no financial, credit card, or password information were present in the exposed database.

According to the security researcher, the database was exposed for over a week, meaning that malicious parties might have had time to copy the information, provided they discovered the exposure.

“Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations. We will continue to work on proactive security measures to prevent similar incidents in the future,” Honda said.

The database was first indexed by search engine BinaryEdge on December 4, but the researcher only discovered it on December 11. Honda’s security team in Japan was alerted the next day and the server was shut down by December 13, the researcher says.

Information stored in the database included full name of Honda owners, email address, phone number, mailing address, vehicle make and model, vehicle VIN, agreement ID, and other service information. Internal logs and maintenance records were also present on the server.

Malicious actors who might have had the chance to download the exposed data could use it in targeted phishing campaigns.

In July, an Elasticsearch database exposed data related to Honda’s internal network and computers, such as hostname, MAC address, internal IP, operating system version, installed patches, and more.

Related: Unprotected Database Exposes Details of Honda’s Internal Network

Related: Car Dealer Marketing Firm Exposed 198 Million Data Records

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...