Bob Diachenko reports that he found an ElasticSearch instance that was exposing customers of Honda North America.
On December 11th, 2019, I have identified an open and unprotected Elasticsearch cluster with 976 millions of records which appeared to be part of Honda North America infrastructure, exposed online to anyone with a web browser.
Of note, Honda responded promptly to his notification and gave him a detailed statement that described the function of the data and estimated that there were approximately 26,000 customers who had data in it. It had been misconfigured on October 21.
You can read Bob’s full report with Honda’s response here.
This was Honda’s second reported data leak this year, with the first one exposing 40 GB of employee data.
The need for automotive companies to lock down their data is becoming one of greater urgency this year, as they have been targeted by hackers, and not just by what are thought to be state actors or an APT, but by lesser known attackers, too.