Japanese car manufacturer, Honda, has exposed personally identifiable information (PII) of 26,000 of its North American customers. The Honda customer records leak was caused by a misconfigured Elasticsearch cluster, which is a distributed full-text search engine used to analyze large volumes of data.
This latest data security incident was discovered by security researcher Bob Diachenko. He discovered some 976 million records in an exposed database. However, Honda claims that the number of unique records were actually 26,000. This figure is reached if duplicate information and data not containing consumer PII information is eliminated.
The records contained Honda customers’ vehicle owner data. They included customers’ names, contact details and information about their vehicles, such as make, model and VIN number. Luckily the database did not contain any customer financial information. In a statement sent to Diachenko by Honda, they stated: “We can also say with certainty that there was no financial, credit card or password information exposed on this database.”
Cause of Incident
Diachenko discovered the unsecured Elasticsearch database on December the 11th, while he was conducting a search using the BinaryEdge search engine.
Once Diachenko informed Honda of the exposed customer records the next day, Honda quickly investigated the issue. Honda’s investigations revealed that the cause of the leak was due to a misconfiguration of an Elasticsearch cluster. Honda also confirmed that the leak was not the result of a data breach.
Risks of Exposed Information
It is not known if the unsecured database was discovered by malicious actors before it was shut down by Honda on the 13th of December 2019. Honda said that “The server on which the database resides was misconfigured on October 21, 2019”. Therefore, possible scammers had just short of two months to find and copy the Honda customer records for their own purposes.
Scammers generally use such personal details, as found in this unsecured database, for targeted phishing campaigns. In such campaigns, affected customers receive emails and other messages from scammers posing as trusted organizations like Honda. The scammers’ aim is to trick victims into giving up sensitive information or money.
Not Honda’s First Data Security Incident this Year
In August this year, Honda suffered a data breach in which 40Gb of corporate and employee information was stolen. Once again, this incident involved an unsecured Elasticsearch database.
As per the latest incident, this database was also left exposed without any authentication required to access it. Instead of customer records, however, the database contained information about Honda’s security systems and networks. It also contained technical information belonging to Honda such as IP addresses, operating systems and update logs.
This stolen technical data gave hackers the details needed to potentially engage in a massive cyberattack against Honda. Essentially, whoever stole this data could own Honda’s networks and the vast amounts of potentially sensitive data held within them. Thus, everyone waits with bated breath to see what happens next.