A security researcher alerted Japanese automotive giant Honda to the fact that they had found 40GB - 134 million rows - of sensitive data that was easily accessible on an open online database.
The researcher in question, known by their pseudonym ‘xxdesmus’ published in a blog post titled ‘Honda Motor Company leaks database with 134 million rows of employee computer data,’ how they were able to access the database with no authentication.
"[It’s] a treasure trove of the most sought-after information... Whoever has it can own Honda’s network."
“The data contained within this database was related to the internal network and computers of Honda Motor Company. The information available in the database appeared to be something like an inventory of all Honda internal machines. This includes information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software.”
“I would like to thank the security team at Honda Motor Company for their very prompt action to secure the database shortly after being notified.”
In response, Honda issued a statement to the security researcher stating that “the security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers.”
“We have investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future,” Honda said.
Igor Baikalov, chief scientist with Securonix was quoted by Infosecurity Magazine, who said that the data found by xxdesmus was a “hacker’s dream.”
“[It’s] a treasure trove of the most sought-after information. Whoever has it can own Honda’s network. While it is unclear if this data has already been accessed by someone maliciously, it does highlight a concerning flaw in the security practices of Honda.”
“This incident should be a lesson to organisations that any documents, servers or databases should be secured and at the very least password protected. What may seem like meaningless logs to an organisation could actually provide a wealth of opportunity to a skilled and knowledgeable attacker,” Baikalov concluded.