In the second such instance of failing to secure online databases containing enterprise or customer data, global automotive giant Honda recently left an ElasticSearch database unprotected on the Web that contained data records belonging to around 26,000 North American customers.
The latest security incident was highlighted by security researcher Bob Diachenko who discovered the unsecured ElasticSearch database owned by Honda using the BinaryEdge search engine. Diachenko found that the database contained around one million data records and was left publicly-accessible on the Web for around two weeks.
Upon investigating the database, Diachenko found that it contained personal details as well as vehicle information belonging to North American citizens and such information included names, email addresses, phone numbers, mailing addresses, vehicle make and models, vehicle VIN numbers, agreement IDs, and other service information.
The unsecured ElasticSearch database was first indexed by the BinaryEdge search engine on 4th December and was discovered by Diachenko on 11th December. Once he informed Honda about the exposed data records, the company acted quickly to remove public access to the database.
Unsecured Honda database was publicly accessible between 21st October and 13th December
In a statement addressed to Diachenko, Honda said that the database was misconfigured on 21st October and admitted that the lapse could have potentially allowed outside parties to access personal information of thousands of its customers.
"The database in question is a data logging and monitoring server for telematics services for North America covering the process for new customer enrollment as well as internal logs. As of today, Honda estimates the number of unique consumer related records in this database to be around 26,000," the company said.
"We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII. We can also say with certainty that there was no financial, credit card or password information exposed on this database. The server on which the database resides was misconfigured on October 21, 2019.
"The security issue you identified could have potentially allowed outside parties to access some of our customers’ personal information. We quickly investigated this issue, determined the specific breach in protocol, and took immediate steps to address the vulnerability. All data in this database is now secure," it added.
Honda left database containing employee records accessible to everyone as well
Even though Honda acted quickly to remove public access to the exposed database, this is the second time in this calendar year that the company has failed to appropriately secure an online database containing sensitive customer or enterprise data.
In July, Honda left an ElasticSearch database exposed on the Web that contained around 134 million documents containing personal and company information of around 300,000 employees. The list of affected employees included Honda's CEO as well as its CFO and CSO.
Data records in the exposed database included employees' names, email addresses, their login details, as well as details of their devices such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda's endpoint security software.
Commenting on the latest security incident involving Honda, Tim Mackey, Principal Security Strategist at the Synopsys CyRC, said that the quick response by Honda’s security team in resolving access within hours is to be commended.
"When looking at any cybersecurity event, it’s not the question of whether an incident will occur – that may be inevitable given the complexity of software and software supply chains – it’s the response to an incident that matters most. As an industry we need to prioritise the process of learning from cyber incidents involving others. Doing so will help improve our ability to identify incidents earlier and contain them faster," he added.
"It's encouraging to see that Honda was able to rectify the issue within a few hours of being notified by a researcher. However, it is unfortunate that this situation occurred to begin with. While the cloud makes it very easy to configure large databases, it is imperative that they are secured properly," says Javvad Malik, security awareness advocate at KnowBe4.
"Unlike on-prem databases, a misconfiguration cannot be mitigated with other compensating controls within the environment, so it is essential that these are properly secured and regularly tested to gain assurance they are configured correctly.
"Although no financial information was part of this potential leak, it did contain a large amount of personal information, which, in many cases can have a more devastating impact on affected customers over the long run," he adds.
ALSO READ: BMW fought off cyber attack by APT32 aimed at stealing trade secrets