Leaky Honda Database Exposes 976M Records – Expert Commentary

By   ISBuzz Team
Writer , Information Security Buzz | Dec 19, 2019 11:49 am PST

Security researcher Bob Diachenko has identified an unprotected Elasticsearch cluster with 976 millions of records belonging Honda North America. An estimated 1 million records in the database contained information about Honda owners and their vehicles. No password or authentication was necessary to access the records, which included names, contact details and vehicle information.

The database contained the following information of Honda owners and their vehicles:

  • Full name
  • Email address
  • Phone number
  • Mailing address
  • Vehicle make and model
  • Vehicle VIN number
  • Agreement ID
  • Other service information
Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Vinay Sridhara
December 19, 2019 7:57 pm

Exposures like this highlight the dynamic nature of the enterprise attack surface. In today\’s DevOps driven world, IT and infosec teams no longer control assets in cloud-based services like AWS. In many cases, they aren\’t even aware that they exist. And by the time configuration management databases are caught up, those assets might already have been decommissioned in favor of new ones. A sound security strategy for these realities must start with a continuously updated inventory and categorization of all assets. Once visibility is achieved, the organization must identify and prioritize areas of risk, such as inadvertent exposure of an ElasticSearch cluster that contains customer data, and eliminate those security issues that have the highest possible impact to the organization.

Last edited 3 years ago by Vinay Sridhara
Stephan Chenette
Stephan Chenette , Co-Founder and CTO
December 19, 2019 7:55 pm

Databases that hold personally identifiable information should be secure at all times. Throughout the course of 2019, we witnessed several companies make the simple mistake of leaving their database exposed with no password protection in place. Unfortunately, these incidents, including this one of over 1 million records, could have easily been prevented if the impacted companies were continuously validating the efficacy of their security controls. Through this process, organizations would be able to identify controls that are overlapping in coverage, not configured correctly and even assets that are not protected. As a result, companies can ensure that their assets are defended against the latest attacker tactics, techniques and procedures (TTPs) and that any vulnerabilities are proactively remediated.

Last edited 3 years ago by Stephan Chenette
Chris DeRamus
Chris DeRamus , VP of Technology Cloud Security Practice
December 19, 2019 7:51 pm

Unfortunately, this isn’t the first time Honda left a database exposed without any protection. Earlier this year, Honda suffered a breach after it left another database open without password protection. Companies that manage consumer data are obligated to keep it secure, however, suffering two incidents within the same year should signal to Honda that it is time to enact the proper security controls.

The truth is that misconfigured databases have been one of the most common causes of breaches in the past year. However, the self-service nature of cloud means that users not familiar with security settings and best practices can easily create databases or alter configurations, which results in massive leaks of data, unbeknownst to them. Organizations need to transform their security strategies as they adopt cloud and implement automated security solutions that can detect misconfigurations and either alert the appropriate personnel of the issue so that it can be fixed or trigger an automated remediation.

Last edited 3 years ago by Chris DeRamus

Recent Posts

Would love your thoughts, please comment.x