A researcher claims to discover Honda’s ElasticSearch database that exposes the internal system and device data. The discovery revealed a database containing 40GB of internal system and data services that are unprotected and unencrypted by Honda’s Security.
Belonging to Honda Motor Company, the unsecured database was found leaking sensitive information about its global system, which includes the devices which aren’t up-to-date or protected by security protocols.
The said exposed ElasticSearch database accommodated approximately 134 documents that amounted to an estimate of 40GB of data belonging to Honda, one of the largest automobile manufacturers in the world. The data could have helped and provided attackers with an easy map for locating the security “soft spots” of the company, said security researcher Justin Paine, who discovered the leak of the database.
“The data contained within this database was related to the internal network and computers of Honda Motor Company,” he said in a post on Wednesday about the incident.
“The information available in the database appeared to be something like an inventory of all Honda internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied and the status of Honda’s endpoint security software.”
The leaked information seems to go back as far as March 13, and this also includes significant information on endpoint security vendors that protects Honda’s machines (which Paine did not name). The leak also pointed out machines with endpoint security software that are enabled and up-to-date. What is more disturbing is that it also pinpoints machines that do not have any endpoint security enabled at all, or are using older operating systems.
“If an attacker is looking for a way into Honda’s network, knowing which machines are far less likely to identify/block their attacks would be critical information,” stated Paine. “These ‘uncontrolled machines’ could very easily be the open door into the entire network.”
Aside from finding sensitive system information, Paine also discovered a dataset that contains employee information like names, email addresses, department, last login, employee number, and account names. It also gives out specific employees’ machine IP address, MAC address, hostname, operating system, machine type, endpoint security state and which Windows patches had been applied.
One data test also revealed the CEO’s full email account, account name, and ID; the last time they logged in the system, and as well as the device data such as MAC address, patching history, OS version, endpoint security status and the IP — it also specifies what device type the user is using. Attackers could use these data to locate an employee and keep tabs on them to identify ways to launch targeted attacks, Paine warned.
In a statement given by the researcher, he said that Honda claimed that there is no evidence that the data was leaked. Honda did not respond right away to a request for any further comments.
“The security issue… identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers,” according to Honda’s statement.
“We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked…We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future,” the carmaker added further.
Unsecured databases still continue to be a security problem in companies. In June, for example, three publicly accessible cloud storage buckets from a data-management company, Attunity, leaked more than a terabyte of data from its top Fortune 100 customers, which includes internal business documents, system passwords, and some sensitive employee information.
There were also some instances that occurred in May, where IT services provider, HCL Tech, inadvertently exposed passwords and other sensitive project reports and other private data of thousands of customers and internal employees.
And in April hundreds of millions of Facebook records were found in two separate publicly exposed app datasets.
This information highlights how data security could be at risk. A single flaw in the system could lead to significant exposure of private information to the public. Security protocols should be tightened and fortified, said Paine.