Honda and UMG Hit by Privacy Leaks

Honda and Universal Music Group (UMG) have both been left red-faced this week after researchers revealed sensitive log-in details and customer data were exposed to the public internet via poor configuration of IT infrastructure.

The carmaker’s Indian business left two Amazon AWS S3 Buckets containing personal information on 50,000 Honda Connect App users publicly exposed, according to Kromtech.

They were left exposed despite the firm having been notified about the error by another security researcher back in February.

The leaked info apparently included names, phone numbers for users and their trusted contacts, passwords, gender, email addresses for users and trusted contacts, and information about their cars including VIN, Connect IDs, and more.

“In this particular case, the information leaked could potentially give an attacker access to everything on that phone, but specifically regarding this app when paired with a Connected Device: where someone's car is currently located, where they went, where they typically drive, how they drive, and where they start and stop,” Kromtech explained.

“Considering how we use our cars, this could give that attacker knowledge of the user's daily activities, including where they live, work, shop, and play, making it very easy to stalk someone.”

Music giant UMG was also exposed this week after ‘expert’ AWS contractor Agilisium left two instances of Apache Airflow server completely unprotected.

The workflow orchestration tool is open by default and active steps need to be taken to secure related servers, according to Kromtech.

The privacy snafu exposed “UMG’s internal FTP credentials, AWS configuration details (secret access key and password), along with internal source code details (SQL passwords),” potentially giving anyone who discovered them full access to its AWS account and key databases.

Both Honda and UMG are said to have acted quickly to resolve the issues when contacted by the security vendor.

What’s Hot on Infosecurity Magazine?