Honda Database Leaks Customer Data Again
A database was discovered leaking the personal information of 26,000 North American Honda owners and their vehicles. American Honda Motor's Elasticsearch database was the source of the leaks. The database leak was a result of a misconfiguration that exposed the full names, email addresses, mailing addresses and phone numbers of vehicle owners, as well as vehicle information. The records appear to have been exposed for over a week, which could have allowed malicious parties enough time to copy the data for their own purposes.
The database was a data-logging and monitoring server for telematics services for North America, covering the process for new customer enrollment as well as internal logs. It was discovered accessible online to anyone with a web browser. Researchers estimated that there were 976 million records in the database. Honda released a statement to the researcher that there were roughly 26,000 unique consumer related records. This number was approximated by eliminating duplicate information and data that did not contain personal identifiable information.
While there is no evidence of this information being stolen, Honda's database was left exposed for more than a week. Unfortunately, the personal information that was exposed includes full names, email addresses and phone numbers, all which can be used to launch highly targeted phishing attacks. This also leaves consumers vulnerable to identity theft, account hijacking and other types of cyberattacks well into the future.
In 2018, a Honda affiliate in India left two Amazon S3 buckets misconfigured for more than a year, affecting 50,000 users of the Honda Connect App, which is used to manage automobile service and maintenance. This time around, Honda quickly fixed the database misconfiguration and is taking preventive measures to prevent similar incidents in the future.