A severe security lapse at Honda Motor Company has seen a vast database containing 134 million rows of systems data, much of it highly sensitive, exposed without any password protection online.
The data was on an unsecured Elasticsearch database that was freely accessible to anyone who came across it, and contained in-depth information about the company’s security systems and network.
This includes technical details of each individual computer, including IP addresses, operating systems, unique network identifiers and security solutions and patches.
As a result, the data would provide any malicious actors with an exhaustive map of the company’s systems, including all the soft spots that would provide easy access to the network. Any skilled – or even relatively unskilled – hacker could use this information to perform a successful and potentially devastating cyberattack on Honda, such as highly targeted attacks on high value employees.
“This is a hacker’s dream, a treasure trove of the most sought after information. Whoever has it, can own Honda’s network,” said Igor Baikalov, chief scientist at Securonix.
Exposed Honda database puts company at serious risk
It is not known if the database has been accessed by malicious actors, and any individual or group that has gained the information could easily bide their time before engaging in an attack, putting Honda in a very dangerous position.
“While it is unclear if this data has already been accessed by someone maliciously, it does highlight a concerning flaw in the security practices of Honda,” said Baikalov.
“If an attacker has already gained access they could use the data to carry out further attacks and gain deeper access to Honda’s networks causing substantial damage.”
“What makes this attack particularly troubling is that the information it revealed can potentially give hackers inside knowledge of the company’s security weak points and the ability to launch targeted attacks that exploit those identified vulnerabilities,” added Saryu Nayyar, CEO of Gurucul.
“This is a situation where behaviour analytics technology would be crucial for detecting and stopping abnormal and suspicious activities on the network before data can be stolen.”
Yet another database exposure
The Honda database exposure is yet another incident involving an unsecure database that is inadvertently left exposed online.
However, in most cases the incident involves a data breach, where customer data is involved. Examples include a breach involving 1.5 million Gearbest customers in March, the exposure of four million students’ personal data by AIESEC in January and the breach of five million Freedom Mobile customers’ data in May.
While the Honda database exposure does not involve customer data, the exposure of sensitive information security data could prove even more devastating for the company. And the incident highlights the same shockingly lax security practices that have plagued these other examples.
“This attack is a reminder that, unfortunately, too many organisations are still not getting the cybersecurity basics right,” said Gurucul.
“In this case, those basics include providing each critical system with a unique and frequently updated password.”
The dangers of user oversight
While Honda has not said what caused the database exposure, it is likely to have been caused by simple user error.
“It’s likely that there was an oversight on behalf of an administrator which exposed the database publicly,” said Javvad Malik, security awareness advocate at KnowBe4.
“This is why it’s important to gain assurance that all systems are protected as required and that staff have been given the right level of security training to know what to look out for and what baseline standards are.”
“There are three pillars of information security: people, process and technology – very much in that order. In this scenario it may have been a simple oversight by the person(s) responsible for the database,” agreed Steve Armstrong, regional director at Bitglass.
“Robust policy and user training may have helped to reduce the likelihood of this data exposure – technology would have, potentially, alerted Honda to the issue and allowed them to remediate.”
For cybersecurity experts, it’s yet another reminder of just how important proper practices should be.
“This incident should be a lesson to organisations that any documents, servers or databases should be secured and at the very least password-protected,” said Baikalov.
“What may seem like meaningless logs to an organisation, could actually provide a wealth of opportunity to a skilled and knowledgeable attacker.”
“As an industry it’s becoming more important than ever that, as a whole, we do better,” added Armstrong.
“Less vendor FUD, more collaboration and better training – mistakes like these do enable all organisations to learn and do better in the future.”