Leaky Honda Database Exposes 976M Records – Expert Commentary

Security researcher Bob Diachenko has identified an unprotected Elasticsearch cluster with 976 millions of records belonging Honda North America. An estimated 1 million records in the database contained information about Honda owners and their vehicles. No password or authentication was necessary to access the records, which included names, contact details and vehicle information.

The database contained the following information of Honda owners and their vehicles:

  • Full name
  • Email address
  • Phone number
  • Mailing address
  • Vehicle make and model
  • Vehicle VIN number
  • Agreement ID
  • Other service information

EXPERTS COMMENTS
Vinay Sridhara, CTO,  Balbix
December 19, 2019
A sound security strategy for these realities must start with a continuously updated inventory and categorization of all assets.
Exposures like this highlight the dynamic nature of the enterprise attack surface. In today's DevOps driven world, IT and infosec teams no longer control assets in cloud-based services like AWS. In many cases, they aren't even aware that they exist. And by the time configuration management databases are caught up, those assets might already have been decommissioned in favor of new ones. A sound se ....
[Read More >>]
Stephan Chenette , Co-Founder and CTO,  AttackIQ
December 19, 2019
Databases that hold personally identifiable information should be secure at all times.
Databases that hold personally identifiable information should be secure at all times. Throughout the course of 2019, we witnessed several companies make the simple mistake of leaving their database exposed with no password protection in place. Unfortunately, these incidents, including this one of over 1 million records, could have easily been prevented if the impacted companies were continuously ....
[Read More >>]
Chris DeRamus , VP of Technology Cloud Security Practice,  Rapid7
December 19, 2019
Organizations need to transform their security strategies.
Unfortunately, this isn’t the first time Honda left a database exposed without any protection. Earlier this year, Honda suffered a breach after it left another database open without password protection. Companies that manage consumer data are obligated to keep it secure, however, suffering two incidents within the same year should signal to Honda that it is time to enact the proper security cont ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article