Honda Motor Company has suffered a massive data breach after an unsecured Elasticsearch database belonging to the company was discovered to be exposing confidential files.
The lost data relates to the firm’s internal systems and devices, with the firm believing that documents compromised may total 134 million.
The unsecured data mine was found by security researcher, Justin Paine, who said the incident has exposed around 40GB of material concerning Honda’s global networks and company workers.
In an online address, Paine wrote:
“I was searching Shodan yet again when I discovered an ElasticSearch database without any authentication. The data contained within this database was related to the internal network and computers of Honda Motor Company.
“The information available in the database appeared to be something like a inventory of all internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software.
“I would like to thank the security team at Honda Motor Company for their very prompt action to secure the database shortly after being notified.”
According to Paine, the compromised database was leaking data through an endpoint security vendor which should have safeguarded the car manufacturer from cyber-attack.
The leak could have given cyber-criminals a clear vision of Honda’s entire security network, complete with information on “soft spots” where entry into the corporate mainframe would be easiest.
Besides the compromised database, Paine said he also found a leak of workers’ details, such as full names, email addresses, department information, account names, login credentials and worker numbers.
A further batch of exposed info held data on the CEO’s email address, employee identification, account name and further login details. The unprotected datasets were found on 4th July by Paine, who passed his findings onto Honda two days later.
Thanking Paine for his efforts, Honda say the database was re-secured ten hours later, and that no evidence was found to suggest that the datasets had been downloaded by third parties.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.