Honda Exposes 26,000 Records of North American Customers

Automotive giant Honda exposed roughly 26,000 vehicle owner records containing personally identifiable information (PII) of North American customers after misconfiguring an Elasticsearch cluster on October 21, 2019.

Honda's security team in Japan promptly secured the publicly accessible server within just a few hours after being contacted by Security Discovery researcher Bob Diachenko on December 12.

The researcher discovered the database on December 11 and was able to access the data without authentication after the BinaryEdge Internet-connected device search engine indexed the database on December 4.

Exposed Honda vehicle owner data

The database records included the customers' full names, email addresses, phone numbers, mailing address, vehicle make and model, vehicle VINs, agreement ID, and various service information on their Honda vehicles.

"The database in question is a data logging and monitoring server for telematics services for North America covering the process for new customer enrollment as well as internal logs," Honda told Diachenko in a statement.

"As of today, Honda estimates the number of unique consumer-related records in this database to be around 26,000."

The company also said that none of its North American customers' financial info, credit card data, or credentials were exposed in the incident.

While the company reacted very promptly after being informed that the misconfigured Elasticsearch cluster was publicly accessible on the Internet, Diachenko says that their week-long public exposure "would have allowed malicious parties ample time to copy the data for their own purposes if they found it."

Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations. We will continue to work on proactive security measures to prevent similar incidents in the future. - Honda

"The information in this database could be valuable to criminals if they managed to find it before the server was shut down," the researcher adds. "It is best to assume the worst and take steps to protect yourself if you think you might be impacted."

The Honda customers' info might be used in highly targeted phishing attacks in the future if the information was leaked during the week the database was exposed.

Such attacks could be used by threat actors to steal sensitive information like user credentials and financial data or to infect their targets' computers with malware if the phishing messages also deliver malicious payloads.

Previous Honda data exposure and breach incidents

Honda was involved in similar incidents in the past, with the most recent one from July 2019 also involving a publicly accessible ElasticSearch database that exposed 134 million documents containing 40 GB worth of info on approximately 300,000 Honda employees around the globe.

As part of that breach, Honda's CEO info was also exposed with the open database revealing his full name, account name, email, and last login date, as well as info related to his work computer, including "MAC address, which Windows KB/patches had been applied, OS, OS version, endpoint security status, IP, and device type."

In 2018 Honda India also left customers' PII data on two public Amazon S3 buckets exposed to anyone with an Internet connection and the expertise needed to find it for at least three months.

The records contained customer names, genders, phone numbers, email addresses, and account passwords, as well as car VIN information, and the buckets were taken offline after repeated attempts to get in touch with the company spanning almost two weeks.

Further back, in 2010, Honda warned its customers of a hacking incident involving an e-mail list that gave the attackers access to 2.2 million Honda vehicle owners' names, e-mail addresses, and vehicle VINs, as well as to 2.7 million Acura customers' e-mail addresses after gaining access to a second list.

How to secure an ElasticSearch cluster

Even though Elastic Stack's core security features are free since May per an announcement made by Elastic NV, publicly-accessible and unsecured ElasticSearch clusters are constantly being spotted by security researchers while scouring the web for unprotected databases.

"This means that users can now encrypt network traffic, create and manage users, define roles that protect index and cluster level access, and fully secure Kibana with Spaces," ElasticSearch's developers say.

Elastisearch servers should ​​​​only be accessible on the company's local network to make sure that only the database's owners can access them as ElasticSearch's dev team explained back in December 2013.

Elastic NV also recommends database admins to secure their ElasticSearch stack by "encrypting communications, role-based access control, IP filtering, and auditing," by properly configuring the cluster before deploying it, and by setting up passwords for the servers' built-in users.

Related Articles:

Wyze Exposes User Data via Unsecured ElasticSearch Cluster