A Honda Motor Company Elasticsearch cluster containing 976 million records affecting about 26,000 customers and containing information on Honda vehicle owners was found exposed.
Independent security researcher Bob Diachenko posted that the database appeared to be part of the company’s North American operation did not require any passwords or other authentication to access the data, which included full name, email address, phone number, mailing address, vehicle make and model, vehicle VIN number, agreement ID and other service information.
“Please note that I was unable to confirm the exact number of unique customer records, this number is based on cluster statistics and keywords search analysis. In its statement Honda estimates this number to be around 26,000,” he said.
The database was discovered December 11, the company was immediately notified and quickly locked down the information, Diachenko said.
Honda thanked Diachenko for pointing out the problem and said the database, which is used for logging and monitoring server for telematics services for North America covering the process for new customer enrollment as well as internal logs, was misconfigured on Oct. 21, 2019. As stated, the company estimates the information for about 26,000 customers was contained in the database.
This is the second major database at Honda this year. In August independent researcher xxdesmus discovered a Honda Motor Company database leaking the data of 134 million rows, roughly 40GB, of employee information.
The researcher discovered the database July 4, 2019 and then began trying to contact Honda, which was accomplished early on July 6, 2019. By that evening the database had been secured, according to a July 31 blog post.