On December 11th, 2019, I have identified an open and unprotected Elasticsearch cluster with 976 millions of records which appeared to be part of Honda North America infrastructure, exposed online to anyone with a web browser.
An estimated 1 million records* in the database contained information about Honda owners and their vehicles. No password or other authentication was needed to access the records, which included names, contact details, and vehicle information.
*Please note that I was unable to confirm the exact number of unique customer records, this number is based on cluster statistics and keywords search analysis. In its statement (see below) Honda estimates this number to be around 26,000.
Elasticsearch cluster appeared to be data logging and monitoring server for telematics services for Honda North America covering the process for new customer enrollment.
I have immediately notified Honda; company acted promptly and secured the server within hours after initial notification. Honda provided me with the following statement:
Thank you very much for pointing out the database vulnerability. The security of our customers’ data is of vital importance to us, and we continually review our processes to ensure that their data is protected. The security issue you identified could have potentially allowed outside parties to access some of our customers’ personal information. We quickly investigated this issue, determined the specific breach in protocol, and took immediate steps to address the vulnerability. All data in this database is now secure.
The database in question is a data logging and monitoring server for telematics services for North America covering the process for new customer enrollment as well as internal logs. As of today, Honda estimates the number of unique consumer related records in this database to be around 26,000. We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII. We can also say with certainty that there was no financial, credit card or password information exposed on this database. The server on which the database resides was misconfigured on October 21, 2019.
Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations. We will continue to work on proactive security measures to prevent similar incidents in the future.
We appreciate your efforts to raise awareness of cyber security issues.
The records appear to have been exposed for over a week, which would have allowed malicious parties ample time to copy the data for their own purposes if they found it.
Here’s the timeline:
– December 4 – The database was first indexed by search engine BinaryEdge.
– December 11 – I have discovered the database and began investigating.
– December 12 – I have alerted Honda’s security team in Japan.
– December 13 – The server was shut down.
We don’t know if any other unauthorized parties accessed the database while it was not secured.
What information was exposed?
The database contained identifying information of Honda owners and their vehicles:
– Full name
– Email address
– Phone number
– Mailing address
– Vehicle make and model
– Vehicle VIN number
– Agreement ID
– Other service information
The server also contained some internal logs and maintenance records.
Dangers of exposed data
The information in this database could be valuable to criminals if they managed to find it before the server was shut down. It is best to assume the worst and take steps to protect yourself if you think you might be impacted.
In particular, the personal details of Honda drivers could be used in targeted phishing campaigns. Affected customers should be on the lookout for emails and other messages from scammers posing as Honda or a related company.
Phishing messages often impersonate trusted people or organizations to trick victims into giving up sensitive information or money. They often contain links to phishing websites, which mimic genuine websites. In fact, they exist only to steal information, such as passwords and payment information.
Honda’s previous data security incidents
Honda has suffered two major data leaks in the past.
The first in late 2010 shared many similarities with the latest exposure. Hackers breached a database of Honda and Acura owners in the US. 2.2 million Honda customers who had registered for an Owner Link account had their names, usernames, email addresses, and VIN numbers exposed. Acura drivers only had their email addresses exposed.
Earlier this year, Honda leaked 40GB of employee data, or about 134 million rows of information. Again, the database was left exposed without any authentication required to access it. Instead of user data, however, this database contained information about Honda’s security systems and networks, such as IP addresses, operating systems, and update logs. Analysts feared it would allow attackers to launch further attacks against the company.
How and why we discovered this leak
Our goal is to help to protect data on the Internet by identifying data leaks and following responsible disclosure policies. Our mission is to make the cyber world safer by educating businesses and communities worldwide.
Our extensive cybersecurity knowledge lends itself well to searching for and analyzing data leaks. Our due diligence demands that we make every attempt to identify who is responsible and notify them as quickly as possible.
Our hope is to minimize harm to end users whose data was exposed. We take steps to find out what each database contained, for how long it was exposed, and what threats to end users might arise as a result. Our findings are compiled into reports like this one to raise awareness and curb misuse of personal data by malicious parties.