Honda Car India is singing a familiar refrain – an unsecured Amazon AWS 3 bucket, this time actually two servers, exposed the personal information of tens of thousands of users.
Komtech Security Center recently found information – including names, phone numbers, gender, passwords and email addresses for users and their contacts – on 50,000 Honda Connect App users contained in unprotected databases was accessible to the public. VINs, Connect IDs and other data were also exposed.
“In this particular case, the information leaked could potentially give an attacker access to everything on that phone, but specifically regarding this app when paired with a Connected Device: where someone's car is currently located, where they went, where they typically drive, how they drive, and where they start and stop,” Kromtech researchers wrote in a blog post. “Considering how we use our cars, this could give that attacker knowledge of the user's daily activities, including where they live, work, shop, and play, making it very easy to stalk someone.” Kromtech said the information could easily be used to launch a targeted spearphishing attack.
The exposed server reiterates a cautionary tale about securing third parties.
“While most organisations factor vendors, suppliers and contractors into their third-party risk management programs, the reality is that our digital ecosystems are a lot bigger than that. Any third party in a company's digital ecosystem can be the weak link that gives attackers a clear path to exposed data,” Fred Kneip, CEO of CyberGRX. “In this case, an affiliate's weak security controls led to them ignoring a vulnerability that was pointed out nearly a year ago at the expense of Honda's reputation. Global companies often interact with tens of thousands of third parties, and it's critical for them to gain a better understanding of which of those third parties pose the biggest risk to their data.”