Unprotected Database Exposes Details of Honda’s Internal Network

An unprotected, internet accessible ElasticSearch database exposed 134 million rows of sensitive data from Honda Motor Company, containing technical details on employee computers, including its CEO, Cloudflare security researcher Justin Paine reveals. 

One of the largest automobile manufacturers in the world, Honda has offices around the globe, including Japan, United States, the U.K., Mexico, and elsewhere.

The insecure database was apparently made publicly accessible on July 1 and the security researcher discovered it on July 4 via Shodan. The database was promptly secured by Honda after being alerted by the researcher.

According to Paine, the information within the exposed database included data related to the internal network and computers of Honda. Specifically, the database appeared to be an inventory of all Honda internal computers. 

The exposed data involved machine hostname, MAC address, internal IP, operating system version, installed patches, and the status of Honda’s endpoint security software, Paine reveals. 

Within the database, the security researcher found around 134 million documents, amounting to around 40GB of around 3.5 months-worth of data (the information went as far back as March 13, 2019). According to the researcher, roughly 40,000 data points were being added to the database every day.

Due to its nature, the exposed information could allow an attacker to discover weaknesses within Honda’s internal network, given that it included specific details the security vendor used and the patch level on each system. Even machines without endpoint security software installed were listed there, Paine reveals. 

In addition to machine-related information, the database also included employee data in one of its tables. Specifically, the researcher found there information such as employee email address, employee name, department, last login, employee number, account name, and a mobile field that was empty. 

The database even included information related to the CEO’s laptop, including CEO’s full name, full email, email nickname, employee ID, account name, last login date, department, MAC address, installed patches, OS, OS version, endpoint security status, IP, and device type.

“Thank you very much for pointing out the vulnerability. The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers,” Honda told the researcher in an email. 

The automaker also said that an investigation of the system’s access logs has revealed no signs of data being downloaded by any third parties. 

“At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future,” the company said. 

Related: Provider of Data Services for Fortune 100 Firms Exposed Sensitive Files