Honda ElasticSearch database exposing 40GB of internal system and device data
security researchers found that Honda Motor, a Japanese automaker, has a database of all employees’ information in the world, and this database doesn’t encrypt. After receiving the notice, Honda has patched related vulnerabilities.
In early July, security researcher Justin Paine discovered a Honda’s unencrypted ElasticSearch database. The database was only launched in mid-March this year, but the amount of data accumulated so far is as high as 40GB, including about 134 million documents.
After inspection, the data that was exposed was included in almost all Honda computer-related information. One of the forms includes employee email, department name, Honda machine hostname, MAC address, intranet IP, operating system version, and another form with employee name, department, employee number, account number, mobile number, and recent login time. The researchers even found Honda’s full email, full name, MAC address, Windows operating system version, IP and device type.
After the researchers informed Honda, the latter closed the loophole on the same day. Honda said that after tracing the system log, no signs of downloading by third parties were found, and there is no evidence of data leakage. Honda said that it has made relevant enhancements to ensure that the future will not repeat the same mistakes.
Via: threatpost