An Elasticsearch cluster containing information on Honda owners in North America was recently found to be accessible from the Internet without any authentication.
Discovered on December 11, 2019, by security researcher Bob Diachenko, the database was part of Honda North America infrastructure and it contained 976 million records.
Of these, around 1 million records were found to include information about Honda owners and their vehicles, but the researcher said he was not able to confirm the exact number of unique customer records in the database.
The database stored names, contact details, and vehicle information, all of which could be accessed without a password. The company secured the server within hours after being notified, the researcher says.
Honda told the researcher that the leak involved a data logging and monitoring server for telematics services. The car maker also said that the estimated number of impacted customers was roughly 26,000.
“We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII. […] The server on which the database resides was misconfigured on October 21, 2019,” Honda said.
The car maker also told Diachenko that no financial, credit card, or password information were present in the exposed database.
According to the security researcher, the database was exposed for over a week, meaning that malicious parties might have had time to copy the information, provided they discovered the exposure.
“Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations. We will continue to work on proactive security measures to prevent similar incidents in the future,” Honda said.
The database was first indexed by search engine BinaryEdge on December 4, but the researcher only discovered it on December 11. Honda’s security team in Japan was alerted the next day and the server was shut down by December 13, the researcher says.
Information stored in the database included full name of Honda owners, email address, phone number, mailing address, vehicle make and model, vehicle VIN, agreement ID, and other service information. Internal logs and maintenance records were also present on the server.
Malicious actors who might have had the chance to download the exposed data could use it in targeted phishing campaigns.
In July, an Elasticsearch database exposed data related to Honda’s internal network and computers, such as hostname, MAC address, internal IP, operating system version, installed patches, and more.