[BreachExchange] Honda exposes customer data on unsecured Elasticsearch database for the second time this year

Destry Winant destry at riskbasedsecurity.com
Fri Dec 20 10:08:47 EST 2019


Honda Motor Co. has been found to exposing customer data on an
unsecured Elasticsearch database for the second time this year, though
this time around the number of records exposed is in dispute.

The exposed database, discovered and publicized today by security
researcher Bob Diachenko Dec. 11, is described as including 976
million records of which Diachenko claims 1 million were of Honda
owners and their vehicles.

The Elasticsearch database had no password or other authenticated
needed, could be viewed by anyone using a browser and included full
names, email addresses, vehicle identification numbers, agreement ID
numbers and other vehicle information.

Honda confirmed that the database had been exposed but contended that
the number of customer records was actually 26,000. Honda also noted
that no customer financial information, card data or credentials were

Whatever the number of customer records exposed actually was, that
Honda could repeat the same mistake it made in July where 134 million
records were exposed arguably rises to new levels of data management
clumsiness. There’s no excuse for a company to continue to repeat data
exposures in this manner, experts say.

“Companies that manage consumer data are obligated to keep it secure,
however, suffering two incidents within the same year should signal to
Honda that it is time to enact the proper security controls,” Chris
DeRamus, chief technology officer of cybersecurity firm DivvyCloud
Corp., told SiliconANGLE.

“The truth is that misconfigured databases have been one of the most
common causes of breaches in the past year,” DeRamus explained.
“However, the self-service nature of cloud means that users not
familiar with security settings and best practices can easily create
databases or alter configurations, which results in massive leaks of
data, unbeknownst to them.”

Anurag Kahol, CTO of cloud access security broker Bitglass Inc., noted
that it’s imperative that the proper security controls are always in
place to secure customer data.

“While there is no evidence of this information being exfiltrated by
malicious actors, Honda’s database was left exposed for more than a
week,” Kahol added. “This is more than enough time for cybercriminals
to discover, harvest and abuse the data. Unfortunately, the personally
identifiable information that was exposed includes full names, email
addresses and phone numbers, all which can be used to launch highly
targeted phishing attacks.”

Stephan Chenette, co-founder and CTO at enterprise cybersecurity
company AttackIQ Inc., said that this kind of carelessness was common
throughout the past year. “These incidents could have easily been
prevented if the impacted companies were continuously validating the
efficacy of their security controls,” he said.

More information about the BreachExchange mailing list