UPDATED 22:36 EDT / DECEMBER 18 2019

SECURITY

Honda exposes customer data on unsecured Elasticsearch database for the second time this year

Honda Motor Co. has been found to exposing customer data on an unsecured Elasticsearch database for the second time this year, though this time around the number of records exposed is in dispute.

The exposed database, discovered and publicized today by security researcher Bob Diachenko Dec. 11, is described as including 976 million records of which Diachenko claims 1 million were of Honda owners and their vehicles.

The Elasticsearch database had no password or other authenticated needed, could be viewed by anyone using a browser and included full names, email addresses, vehicle identification numbers, agreement ID numbers and other vehicle information.

Honda confirmed that the database had been exposed but contended that the number of customer records was actually 26,000. Honda also noted that no customer financial information, card data or credentials were exposed.

Whatever the number of customer records exposed actually was, that Honda could repeat the same mistake it made in July where 134 million records were exposed arguably rises to new levels of data management clumsiness. There’s no excuse for a company to continue to repeat data exposures in this manner, experts say.

“Companies that manage consumer data are obligated to keep it secure, however, suffering two incidents within the same year should signal to Honda that it is time to enact the proper security controls,” Chris DeRamus, chief technology officer of cybersecurity firm DivvyCloud Corp., told SiliconANGLE.

“The truth is that misconfigured databases have been one of the most common causes of breaches in the past year,” DeRamus explained. “However, the self-service nature of cloud means that users not familiar with security settings and best practices can easily create databases or alter configurations, which results in massive leaks of data, unbeknownst to them.”

Anurag Kahol, CTO of cloud access security broker Bitglass Inc., noted that it’s imperative that the proper security controls are always in place to secure customer data.

“While there is no evidence of this information being exfiltrated by malicious actors, Honda’s database was left exposed for more than a week,” Kahol added. “This is more than enough time for cybercriminals to discover, harvest and abuse the data. Unfortunately, the personally identifiable information that was exposed includes full names, email addresses and phone numbers, all which can be used to launch highly targeted phishing attacks.”

Stephan Chenette, co-founder and CTO at enterprise cybersecurity company AttackIQ Inc., said that this kind of carelessness was common throughout the past year. “These incidents could have easily been prevented if the impacted companies were continuously validating the efficacy of their security controls,” he said.

Photo: Shuets Udono/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU