Automobile manufacturer Honda is yet again caught up in a security issue after exposing its vehicle owner records due to a misconfiguration of an Elasticsearch cluster on October 21, 2019.
The exposed database, which was found by security researcher Bob Diachenko on Dec. 11, contains about 976 million of records, in which 1 million were identified to be of Honda owners. The database was also reported to be lacking a password or other authentication, making it easily accessible to the general public.
Among the information leaked include the customers’ names, email addresses, phone numbers, mailing address, vehicle make and model, vehicle VINs, agreement ID, and different service information concerning their Honda vehicles.
The Elasticsearch database has been discovered by Diachenko after the BinaryEdge Internet-connected device search engine indexed the database on December 4.
Honda, on the other hand, was quick to confirm that there is indeed an exposed database. However, the auto manufacturer giant contended that the exposed records only total to 26,000.
“The database in question is a data logging and monitoring server for telematics services for North America covering the process for new customer enrollment as well as internal logs,” Honda said in a statement.
“As of today, Honda estimates the number of unique consumer-related records in this database to be around 26,000.”
Different cybersecurity experts have also shared their views on the recent incident. Chris DeRamus, chief technology officer of cybersecurity firm DivvyCloud Corp., in particular, told Silicon Angle that Honda’s second security issue for 2019 signals that the firm must “enact the proper security controls.”
“The truth is that misconfigured databases have been one of the most common causes of breaches in the past year,” DeRamus explained. “However, the self-service nature of cloud means that users not familiar with security settings and best practices can easily create databases or alter configurations, which results in massive leaks of data, unbeknownst to them.”
The recent incident comes as the latest addition to the series of cybersecurity issues that had hit Honda. In 2018, the auto manufacturer’s India branch left customers’ PII data on two public Amazon S3 buckets.
This was followed later in July 2019, in which the company had also left a database that features 134 million documents publicly accessible.
“The information in this database could be valuable to criminals if they managed to find it before the server was shut down. It is best to assume the worst and take steps to protect yourself if you think you might be impacted,” researcher Diachenko added.