Open database exposes 26,000 Honda Motors customers
A Honda Motor Company Elasticsearch cluster containing 976 million records affecting about 26,000 customers and containing information on Honda vehicle owners was found exposed.
Independent
security researcher Bob Diachenko posted
that the database appeared to be part of the company’s North American operation
did not require any passwords or other authentication to access the data, which
included full name, email address, phone number, mailing address, vehicle make
and model, vehicle VIN number, agreement ID and other service information.
“Please note
that I was unable to confirm the exact number of unique customer records, this
number is based on cluster statistics and keywords search analysis. In its
statement Honda estimates this number to be around 26,000,” he said.
The database
was discovered December 11, the company was immediately notified and quickly locked
down the information, Diachenko said.
Honda
thanked Diachenko for pointing out the problem and said the database, which is used
for logging and monitoring server for telematics services for North America
covering the process for new customer enrollment as well as internal logs, was
misconfigured on Oct. 21, 2019. As stated, the company estimates the
information for about 26,000 customers was contained in the database.
This is the second major database at Honda this year. In August independent researcher xxdesmus discovered a Honda Motor Company database leaking the data of 134 million rows, roughly 40GB, of employee information.
The
researcher discovered the database July 4, 2019 and then began trying to
contact Honda, which was accomplished early on July 6, 2019. By that evening
the database had been secured, according to a July 31 blog post.
Gloss