Global automobile manufacturer Honda leaked a database of company data that exposed 134 million documents, roughly 40GB of information.
In a blog post, researcher xxdesmus revealed how he discovered an Elasticsearch database without any authentication.
“The data contained within this database was related to the internal network and computers of Honda Motor Company. The information available in the database appeared to be something like an inventory of all Honda internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software. I would like to thank the security team at Honda Motor Company for their very prompt action to secure the database shortly after being notified.”
A statement from Honda to the researcher read: “The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers. We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future.”
Igor Baikalov, chief scientist at Securonix, said, “This is a hacker’s dream, a treasure trove of the most sought-after information. Whoever has it can own Honda’s network. While it is unclear if this data has already been accessed by someone maliciously, it does highlight a concerning flaw in the security practices of Honda.”
If an attacker has already gained access they could use the data to carry out further attacks and gain deeper access to Honda’s networks causing substantial damage, he added.
“This incident should be a lesson to organizations that any documents, servers or databases should be secured and at the very least password protected. What may seem like meaningless logs to an organization could actually provide a wealth of opportunity to a skilled and knowledgeable attacker.”