Honda exposes data of 26,000 customers in US

Honda, the world’s seventh-largest carmaker hasn’t escaped 2019 without another blow to its name.
19 December 2019

Data exposed could have been exploited for phishing campaigns. Source: Shutterstock

Following a breach earlier this year, it’s emerged that the Japanese automotive giant Honda has exposed the records of an estimated 26,000 vehicle owners— the breach is now fixed, and the data isn’t believed to have been compromised. 

The data, which comprised personally identifiable information (PII) belonging to North American customers, was exposed due to a misconfiguration of an Elastisearch cluster. Honda’s security team addressed the issue after being discovered by cybersecurity researcher Bob Diachenko on December 12. 

According to Diachenko, the information— which included customers’ full names, email addresses, phone numbers, mailing address, vehicle makes, models, VINs (vehicle identification number), agreement ID, and other service information— was accessible without authentification for more than a week after it was indexed by the search engine on December 4. 

While Honda’s security team in Japan addressed the issue within a few hours of being alerted, Diachenko said it “would have allowed malicious parties ample time to copy the data for their own purposes if they found it.”

Given the nature of the information, the data could have provided a trove of information for sophisticated, personalized phishing campaigns, whereby actors could have posed as the car manufacturer itself or other authorities in order to attempt to steal financial data or seed malware. 

In a statement to Diachenko, Honda assured that none of its customers’ financial information, credit card data, or credentials were exposed— the database, it said, was “a data logging and monitoring server for telematics services for North America covering the process for new customer enrollment as well as internal logs.”

In July this year, Honda leaked 40GB of employee data. The database, which was similarly left exposed without any authentication required to access it, contained information about Honda’s security systems and networks, including IP addresses, operating systems, and update logs, which could have led to further attacks on the company. 

Meanwhile, as far back as 2010, hackers breached a database of Honda and Acura owners in the US, exposing the usernames, email addresses and VINs of some 2.2 million Honda customers.