Honda Exposes 976 Million Records Containing PII of Vehicle Owners

• Honda trips on a security bump for the second time in a few months, leaving a database unprotected.
• Car owner details from the U.S. were involved in the incident, but the actual number of exposed clients is unknown.
• The vehicle owners are now running a risk of getting phished or scammed, as the data that has leaked is very unveiling.

Bob Diachenko has discovered an unprotected Elasticsearch cluster which contained 976 million records belonging to “Honda North America”. The database was left online without setting a password, so anyone with a web browser could potentially locate and access it. The discovery was made on December 11, 2019, but the indexing history on BinaryEdge shows that it has been online since at least December 4, 2019. The researcher notified Honda’s security team in Japan, who took it down on December 13, 2019, so the data has remained exposed for at least nine days.

Out of the 976 million records that were contained in the unprotected database, an estimated 1 million corresponds to Honda vehicle owners' information. Honda, however, has stated that this number is actually around 26000, as all other entries are duplicates. As for what information was exposed, the set includes the following:

• Full name
• Email address
• Phone number
• Mailing address
• Vehicle make and model
• Vehicle VIN number
• Agreement ID
• Other service information
• Internal logs
• Maintenance records

As it becomes apparent from the above, the incident involves sensitive personal data that introduce a risk of falling victims to scammers and phishing actors for the exposed Honda owners. That said, the affected Honda car owners should be aware of any messages that impersonate people or companies.

Honda clarified that the leaking database was due to their own configuration mistake, and not the result of a data breach. As their internal investigation moves forward, they will determine if the data was accessed by any other than Diachenko, and they will inform the authorities and the affected individuals accordingly. Back in August, Honda suffered a data breach that resulted in the stealing of 40GB of corporate and private employee data. That said, 2019 hasn’t been an amazing year for the Japanese automaker as far as cybersecurity is concerned.

Companies engaged in the field of car manufacturing should be very vigilant when it comes to securing their systems, protecting their data, and encrypting their internal communications. Earlier in the month, we discussed how APT32 hacked into the systems of BMW and Hyundai, while in September, Toyota Boshoku paid $37 million to BEC scammers. In April, Toyota suffered from multiple data breaches in a number of Asian countries, and in February, they spilled the client data of their Australian arm.

Are you comfortable with trusting your data to your car maker, or do you share the least possible information with them? Let us know where you stand in the comments down below, or on our socials, on Facebook and Twitter.