Subsequent to misconfiguring an ‘Elasticsearch cluster’ on October 21, the multinational conglomerate Honda exposed around 26,000 vehicle owner records containing personally identifiable information (PII) of North American customers.
Security Discovery researcher Bob Diachenko reached out to Honda’s security team in Japan following which the team immediately verified the publicly accessible server within only a couple of hours.
The database records incorporated the customers’ full names, email addresses, phone numbers, mailing address, vehicle make and model, vehicle VINs, agreement ID, and various service information on their Honda vehicles, the company later included that none of its North American customers’ financial information, credit card information, or credentials were uncovered in the episode.
While the company responded instantly in the wake of being informed that the misconfigured Elasticsearch cluster was publicly accessible on the Internet, Diachenko says that their week-long public exposure “would have allowed malicious parties ample time to copy the data for their own purposes if they found it.”
The Honda customers’ information may be utilized in highly targeted phishing attacks later on if the information was spilled during the week the database was exposed.
Anyway this isn’t the first episode for Honda for being involved with such occurrences, for in the past there were comparable circumstances experienced by the ‘automotive giant’, with the most recent one from July 2019 additionally including a publicly accessible ElasticSearch database that exposed about 134 million documents containing 40 GB worth of information on roughly 300,000 Honda employees from around the world.
Despite the fact that Elastic Stack’s ‘core security features’ are free since May per an announcement made by Elastic NV, publicly accessible and “unsecured” ElasticSearch clusters are continually being spotted by security researchers while scouring the web for unprotected databases. “
This means that users can now encrypt network traffic, create and manage users, define roles that protect index and cluster level access, and fully secure Kibana with Spaces, “ElasticSearch’s designer’s state.
Nonetheless Elastic NV recommends database administrators to verify their ElasticSearch stack by “encrypting communications, role-based access control, IP filtering, and auditing,” by appropriately configuring the cluster before conveying it, and by setting up passwords for the servers’ built-in clients.