In accessing the data, an inquiry shows how no password or other forms of authentication were necessary to access the consumer records, which included purchaser or inquirer names, their contact details together with their vehicle information. The issue was detected by security researcher Bob Diachenko, who identified an unprotected Elasticsearch cluster containing the 976 million of records belonging Honda North America.
Diachenko notes that Honda’s week-long public exposure “would have allowed malicious parties ample time to copy the data for their own purposes if they found it.”
The database contained the following information of Honda owners and their vehicles:
Full name
Email address
Phone number
Mailing address
Vehicle make and model
Vehicle VIN number
Agreement ID
Other service information
To gain an insight into the data breach, Digital Journal caught up with Chris DeRamus, CTO, DivvyCloud, who tells us: “This isn’t the first time Honda left a database exposed without any protection.” DeRamus recalls that earlier in 2019 Honda was associated with a different data breach after it left a database open, where there was no password protection.
Looking more widely at such inherent weaknesses in company systems, DeRamus identifies the fact that: “Misconfigured databases have been one of the most common causes of breaches in the past year. However, the self-service nature of cloud means that users not familiar with security settings and best practices can easily create databases or alter configurations, which results in massive leaks of data, unbeknownst to them.” Cloud hacking cases during 2019 has shown that not all cloud providers are as secure as they claim to be. Misconfiguration means that the public cloud server instances, such as storage and compute, are configured in such a way that they are vulnerable to breaches.
With preventative actions, DeRamus recommends that: “Organizations need to transform their security strategies as they adopt cloud and implement automated security solutions that can detect misconfigurations and either alert the appropriate personnel of the issue so that it can be fixed or trigger an automated remediation.”
