Honda has accidentally exposed much of its corporate secrets and private employee information, amounting to 40GB of data.
On the eve of releasing its financial earnings for the past quarter, Honda created a situation described by one security researcher as “a hacker’s dream”. According to Verdict, 40GB of critical company data – amounting to 134m rows of system data – was stored on an unsecured Elasticsearch database.
This meant that anyone who knew where to look could have come across the company’s most sensitive data, not only including information about the company’s security systems and networks, but also technical data on all of its IP addresses, operating systems and what patches they had.
In effect, it gave hackers of even the lowest skill the map and details needed to potentially engage in a massive cyberattack against the company, including personal attacks against its employees.
Speaking with Verdict, Igor Baikalov, chief scientist at the cybersecurity firm Securonix, described the situation Honda created for itself as “a hacker’s dream, a treasure trove of the most sought-after information”, adding that “whoever has it, can own Honda’s network”.
It isn’t known whether the information exposed in the breach has been accessed any individuals or groups, but the nature of the breach leaves it possible for a devastating attack to come further down the line.
Honda hasn’t said what error led to the breach, but security awareness advocate Javvad Malik of KnowBe4 had one suggestion.
“It’s likely that there was an oversight on behalf of an administrator, which exposed the database publicly,” he said.
“This is why it’s important to gain assurance that all systems are protected as required and that staff have been given the right level of security training to know what to look out for and what baseline standards are.
“Robust policy and user training may have helped to reduce the likelihood of this data exposure – technology would have, potentially, alerted Honda to the issue and allowed them to remediate.”