Honda is hacked; details of more than 976 million customers leaked
As a result of a recent massive data breach involving about 976 million records, nearly one million files were exposed in a Honda automotive company database, which contained various details about thousands of vehicles and their owners, as reported by web application security specialists.
The report mentions that it was not necessary to enter a password or any other authentication method to access the compromised database, so it was completely exposed to any user.
Bob Diachenko, renowned web application
security researcher and expert, dedicated to the search of compromised
information exposed in public Internet, was in charge of reporting the
incident, after identifying an unprotected Elasticsearch
cluster, which stored 976 million records, all belonging to Honda in North
America.
Diachenko mentions that the database would have
been exposed for at least a week, long enough for any threat actor to access,
copy and store the information for malicious purposes.
Personal details exposed during the incident
include:
- Full
names - Addresses
- Phone
numbers - Email
addresses - Make
and model of the vehicle - Number
of vehicle plates - Records
on maintenance services
Web application security firms have previously
reported similar incidents due to omissions by Honda staff. According to Chris
DeRamus, from DivvyCloud security firm: “In January 2019 it was detected data
breach that compromised information belonging to the automotive company. The
database was completely exposed,” the expert said.
Incorrect security configurations when enabling
a database are the primary cause of information exposure incidents, as it is
estimated that more than half of these incidents could be avoided if the staff
in charge of managing these incidents implementations will enable appropriate
measures.
However, the features inherent in this class of
implementations lead to user ignorance, so security best practices, even if
they exist and are ready to be enabled, will not be used, since users ignore
they are even available, say web application security specialists.
Specialists from the International Institute of
Cyber Security (IICS) believe that preventing these misconfigurations would
significantly reduce incidents of database information exposure in any
company.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
Gloss