A severe security lapse at Honda Motor Company has seen a vast database containing 134 million rows of systems data, much of it highly sensitive, exposed without any password protection online.
The data was on an unsecured Elasticsearch database that was freely accessible to anyone who came across it, and contained in-depth information about the company’s security systems and network.
This includes technical details of each individual computer, including IP addresses, operating systems, unique network identifiers and security solutions and patches.
As a result, the data would provide any malicious actors with an exhaustive map of the company’s systems, including all the soft spots that would provide easy access to the network. Any skilled – or even relatively unskilled – hacker could use this information to perform a successful and potentially devastating cyberattack on Honda, such as highly targeted attacks on high value employees.
“This is a hacker’s dream, a treasure trove of the most sought after information. Whoever has it, can own Honda’s network,” said Igor Baikalov, chief scientist at Securonix.
Exposed Honda database puts company at serious risk
It is not known if the database has been accessed by malicious actors, and any individual or group that has gained the information could easily bide their time before engaging in an attack, putting Honda in a very dangerous position.
“While it is unclear if this data has already been accessed by someone maliciously, it does highlight a concerning flaw in the security practices of Honda,” said Baikalov.
“If an attacker has already gained access they could use the data to carry out further attacks and gain deeper access to Honda’s networks causing substantial damage.”
“What makes this attack particularly troubling is that the information it revealed can potentially give hackers inside knowledge of the company’s security weak points and the ability to launch targeted attacks that exploit those identified vulnerabilities,” added Saryu Nayyar, CEO of Gurucul.
“This is a situation where behaviour analytics technology would be crucial for detecting and stopping abnormal and suspicious activities on the network before data can be stolen.”
Yet another database exposure
The Honda database exposure is yet another incident involving an unsecure database that is inadvertently left exposed online.
However, in most cases the incident involves a data breach, where customer data is involved. Examples include a breach involving 1.5 million Gearbest customers in March, the exposure of four million students’ personal data by AIESEC in January and the breach of five million Freedom Mobile customers’ data in May.