An unsecure Elasticsearch cluster owned by the Honda Motor Company containing 976 million records of about 26,000 customers was discovered by security researcher Bob Diachenko.
"On 11 December, 2019, I identified an open and unprotected Elasticsearch cluster with 976 million records, which appeared to be part of Honda North America infrastructure, exposed online to anyone with a web browser," the researcher wrote in his blog.
The database, apparently part of the Honda’s North American operation, did not need any sort of authentication, including passwords, he wrote. The data held by the cluster includes full name, email address, phone number, mailing address, vehicle make and model, vehicle VIN number and agreement ID.
He immediately notified Honda and the company "acted promptly and secured the server within hours after initial notification", he wrote.
"Honda should be commended on how quickly it acted to take down their server after being made aware of this potentially dangerous vulnerability," said Shlomie Liberow, security engineer at HackerOne.
"Organisations that rely on digital services need to have processes in place to both allow and incentivise third party researchers to disclose vulnerabilities before they are exploited. Honda was fortunate that an ethical researcher got to this vulnerability before it was taken advantage of and fortunately it doesn’t look like the data exposed was ever accessed."
"The database in question is a data logging and monitoring server for telematics services for North America covering the process for new customer enrollment as well as internal logs," read the company’s reply to Diachenko, which was published on his blog.
He was unable to confirm the exact number of unique customer records. He estimated one million records, while a Honda statement puts the number of unique consumer related records in this database to be around 26,000.
"We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII," said the company’s reply.
"We can also say with certainty that there was no financial, credit card or password information exposed on this database. The server on which the database resides was misconfigured on 21 October, 2019."
This is the second instance of hosting unsecure data online by Honda this year. Justin Paine, director of trust and safety at Cloudflare, in August disclosed the details about an unsecure ElasticSearch database, which turned out to be related to the internal network and computers of Honda.
The exposed database --- another ElasticSearch cluster -- contained approximately 134 million documents totalling some 40GB of data. Honda promptly secured the database after Paine notified the company.
"Just because a product is freely available and highly scalable doesn’t mean you can skip the basic security recommendations and configurations. Beyond ensuring that products and services are correctly deployed and maintained by competent, experienced staff, organizations must also secure their cloud-based data by adopting a data-centric security model that protects the data at rest, in motion, and in use – even if a properly configured system is compromised," said Jonathan Deveaux, head of enterprise data protection at comforte AG.
"If anyone is still snoozing while dreaming that their data is safe while ‘hidden in plain sight’ on an ‘anonymous’ cloud resource, the string of lapses around ElasticSearch instances is a wakeup call in the form of a 3 am fire alarm."
However, Diachenko rejected the notion that Elasticsearch clusters are inherently unsecure.
"In general, Elasticsearch is very convenient and useful platform. I use it myself. But in most cases it is a configuration problem or lack of knowledge on cyber-hygiene," he told SC Media UK.