Security researcher Bob Diachenko has identified an unprotected Elasticsearch cluster with 976 millions of records belonging Honda North America. An estimated 1 million records in the database contained information about Honda owners and their vehicles. No password or authentication was necessary to access the records, which included names, contact details and vehicle information.
The database contained the following information of Honda owners and their vehicles:
- Full name
- Email address
- Phone number
- Mailing address
- Vehicle make and model
- Vehicle VIN number
- Agreement ID
- Other service information
Exposures like this highlight the dynamic nature of the enterprise attack surface. In today\’s DevOps driven world, IT and infosec teams no longer control assets in cloud-based services like AWS. In many cases, they aren\’t even aware that they exist. And by the time configuration management databases are caught up, those assets might already have been decommissioned in favor of new ones. A sound security strategy for these realities must start with a continuously updated inventory and categorization of all assets. Once visibility is achieved, the organization must identify and prioritize areas of risk, such as inadvertent exposure of an ElasticSearch cluster that contains customer data, and eliminate those security issues that have the highest possible impact to the organization.
Databases that hold personally identifiable information should be secure at all times. Throughout the course of 2019, we witnessed several companies make the simple mistake of leaving their database exposed with no password protection in place. Unfortunately, these incidents, including this one of over 1 million records, could have easily been prevented if the impacted companies were continuously validating the efficacy of their security controls. Through this process, organizations would be able to identify controls that are overlapping in coverage, not configured correctly and even assets that are not protected. As a result, companies can ensure that their assets are defended against the latest attacker tactics, techniques and procedures (TTPs) and that any vulnerabilities are proactively remediated.
Unfortunately, this isn’t the first time Honda left a database exposed without any protection. Earlier this year, Honda suffered a breach after it left another database open without password protection. Companies that manage consumer data are obligated to keep it secure, however, suffering two incidents within the same year should signal to Honda that it is time to enact the proper security controls.
The truth is that misconfigured databases have been one of the most common causes of breaches in the past year. However, the self-service nature of cloud means that users not familiar with security settings and best practices can easily create databases or alter configurations, which results in massive leaks of data, unbeknownst to them. Organizations need to transform their security strategies as they adopt cloud and implement automated security solutions that can detect misconfigurations and either alert the appropriate personnel of the issue so that it can be fixed or trigger an automated remediation.