[kap04]

Honda Car India accidentally leaked the personal details of thousands of customers in two public, unsecured Amazon AWS S3 buckets.

The compromised data included names, phone numbers and email addresses of users and their trusted contacts, gender, passwords and car information such as VIN, Connect IDs and more.

https://www.bleepingcomputer.com/new...aws-s3-server/

[DicKy]

Makes me even more wary about the whole 'connected thing' in automobiles.

Sure, we cannot avoid the risk of data loss in this age completely, but car makers most of the time just outsource in areas non-automobile related.

And to think, Toyota was fighting till the end to avoid third party interference to prevent data privacy issues, all the while inviting flak for being slow in adapting to Carplay/Android Auto.

[CrAzY dRiVeR]

Quote:

Originally Posted by kap04

Unsecured Amazon AWS S3 buckets.

That's just basics of AWS and cloud storage in general, IMO-

1. Never leave a bucket out public.
2. Always use encryption for the data at rest.
3. Ensure proper auditing of all resources within the buckets. AWS provides so many tools and machine learning based resources for it.

Can't believe an organisation as big as Honda made so many basic blunders with customer data. Not only did they leave the data open to public, they failed to notice an ethical hacker left them an open note, for three months till another ethical hacker found it.

Honda Car India will probably get away with it easily because the customer senstive data laws are not very strict in India. . Such a mistake in European countries with their General Data Protection Regulation framework could have really hurt Honda hard.

The data leaked is clearly customer personal identiable data -

Quote:

Names
User gender
Phone numbers for both users and their trusted contacts
Email addresses for both users and their trusted contacts
Account passwords
Car VIN
Car Connect IDs, and more

[libranof1987]

This is not good! But data was/is never really truly secure. When a tech goliath such as Apple suffered the infamous iCloud hack (in which the most revered film personalities lost their privacy), Honda is a small fish.

Quote:

Originally Posted by CrAzY dRiVeR

Can't believe an organisation as big as Honda made so many basic blunders with customer data.

Their third party vendor who built/manages this app most likely.

It's not just the details listed. Given some of the features of Honda Connect (Locate car, Geo fence), it tracked your car's movement as well.

Insurance companies and those that would like to know your typical movement (Uber/Google Maps) will have a field day with such (free) data.

[SmartCat]

I have mentioned the lack of seriousness on their part (when it comes to privacy and data breach) in my Aug 2016 post
http://www.team-bhp.com/forum/indian...ml#post4040099

This device is definitely not for "privacy conscious" individuals. For about a month, my app was linked to somebody else's Honda car in a city called Gulbarga! All because they mixed up device IDs. For about three weeks (that's what it took them to solve the problem), I was tracking this guy's driving habits.

- I knew his exact home address
- I knew he owned a textile shop (knew the address too!)
- He drops his son or daughter to school (knew the name/address of school too) before going to his shop.
- He never picked up the kids from school though. Mom's responsibility perhaps?
- He used to come back home for lunch!

Quote:

Originally Posted by libranof1987

Their third party vendor who built/manages this app most likely.

Correct. Everything from device manufacturing to customer support to payments are handled by an Indian company called Minda Industries. Honda just takes the commission.

[CrAzY dRiVeR]

Quote:

Originally Posted by libranof1987

But data was/is never really truly secure. When a tech goliath such as Apple suffered the infamous iCloud hack (in which the most revered film personalities lost their privacy), Honda is a small fish.

Hackers are genius minds - no doubt. Hence the fundamentals of cloud security expect you to know that your data can be hacked - and act on it.

To equate what Honda did in terms of simpler security measures of a house. (Please dont be offended. I'm not in anyway assuming that you are not familiar with AWS).

1. They left their gates and doors open for the entire world to see.
2. A thief came in, looked around - and left a note on the door that the house is insecure. He requested them to lock it.
3. Three months that note was on the front door and no one noticed.
4. After three months, a second thief came in. And he noticed the note left by the first thief. And he went to the police for getting the house locked. Two weeks of trying later - the house got locked.

If you try to study any course of AWS - they would have covered this in the first hour itself. The mistakes are that basic!

Quote:

Originally Posted by libranof1987

Their third party vendor who built/manages this app most likely.

Quote:

Originally Posted by smartcat

Correct. Everything from device manufacturing to customer support to payments are handled by an Indian company called Minda Industries. Honda just takes the commission.

Agreed. However, as per data privacy rules worldwide like the GDPR for Europe - Honda is the company requesting customer data here and is solely responsible for ensuring the responsible handling of that data. A backend provider has to completely adhere to the guidelines set by Honda, but the ownership of ensuring data privacy resides on Honda, in this case.

Not that it would matter in India. I would be susprised if other media channels hardly even cover this news items. Reporting about a missing touchscreen feature might get more views in our country.

[GTO]

Quote:

Originally Posted by kap04

The compromised data included names, phone numbers and email addresses of users and their trusted contacts, gender, passwords and car information such as VIN, Connect IDs and more.

Sucks, but data is hardly private in today's "connected" world. Not just talking about Google, Facebook and gang, but even at the grassroots level, car dealers (big & small) will sell your data to insurance / loan / real estate companies. When I was running my education business, there were companies willing to supply us a reliable database of car owners (you could even specify the make - e.g. Honda or Mercedes) for peanuts.

Quote:

Originally Posted by smartcat

- I knew his exact home address
- I knew he owned a textile shop (knew the address too!)
- He drops his son or daughter to school (knew the name/address of school too) before going to his shop.
- He never picked up the kids from school though. Mom's responsibility perhaps?
- He used to come back home for lunch!

Now that is shocking! I agree with Dicky - as far as possible, I'd like to keep this 'connected car' thing out of my cars.

[itwasntme]

Quote:

Originally Posted by GTO

Sucks, but data is hardly private in today's "connected" world.

Coincidentally, front page today on the NYT:

https://www.nytimes.com/interactive/...T.nav=top-news

Facebook Gave Device Makers Deep Access to Data on Users and Friends

[hserus]

Quote:

Originally Posted by libranof1987

This is not good! But data was/is never really truly secure. When a tech goliath such as Apple suffered the infamous iCloud hack (in which the most revered film personalities lost their privacy), Honda is a small fish.

The incident you refer to was where several celebrities were targeted with phishing emails that tricked them into revealing their passwords to a criminal who then logged into their iCloud accounts and stole intimate pictures and videos.

It was not a sitewide data leak like this Honda incident so let's please have a bit of perspective here

Apple has always - over the last few years at least, from much before this celebrity compromise - encouraged users to set up 2 factor authentication. I would encourage you to enable 2FA for ALL significant accounts you have (google, facebook, twitter etc) besides for your Apple ID.

https://support.apple.com/en-in/HT204915 has full instructions.

edit - this is posted in my personal capacity, and I am speaking entirely for myself here <- sorry, but in this case I do have to add this disclaimer.

[dark.knight]

Your data is leaked the minute it is handed over, whether its to the data management company, Google, FB, WhatsApp, Honda, Apple etc. Let us not conveniently forget that "people" man the control over such data.. these very people can access at random your age, DOB, address and other even more personal data like email ID, phone, family if such data is given. I sure won't.

Data mining is the reason that giants like Google and Facebook exist, they trawl through the internet space for data on each and every user. Small controversies happen every now and then like the PlayStation data breach for which ridiculously, North Korea was blamed (NK has a billion problems, but to hack Sony? Please LOL), the iCloud hack (which only made the "victims" more famous), and now this one. Lets not forget that banks, educational institutions, restaurants, online sellers, sell your identity each and every day. Its now common that there simply is no code of ethics when it comes to data.. even now I get calls for servicing/renewing insurance of my previous car which I sold a year ago, how did "private" insurance scam artists with no association with the dealership, apparently, get my number?

The internet takes more than it gives.. I'm happy to be old school and I mostly deny giving my data to anyone and even if I do, I give false data where there is no relevance. Remember the leak happens in the first instance that you share it, its like petrol.. you hand it over in a bottle and whether it is used (poured into a vehicle), or evaporates or simply used to burn you to the ground is the choice of the person you give it to.

[hserus]

I won't try to convince you beyond that saying that privacy controls (and compliance with privacy regulations) is actually a serious matter in some companies so that privacy is designed from the ground up, versus other companies that are designed from the ground up to mine your data.

You are right to be careful in where you give out data.

However, saying "all such companies are bad by default" is about the same as a blanket statement that "all politicians are crooks" or "all cars by marque X are tincans".

Fine, we aren't going to convince each other and I made the point I wished to make. Thanks for listening.

[moralfibre]

Can only laugh at the way non-tech companies rely on advice by third party system integrators without having their own information security standard. Honda is not alone, public facing S3 buckets have caused much more damage than what Honda faced.

Very recently, Tesla's AWS cloud was used for crypto mining by hackers. While this doesn't classify as a data breach, it surely does expose how public credentials can cause a hack on your cloud. Not everyone wants your data, many want to use your computing resources without detection. link.

Among the major breaches, Experian's data was exposed by it's vendor Alteryx and it caused mayhem: Link.

And if you believe the US fed space is immune from this, think again. Look at the top 10 companies who exposed data using public facing S3 buckets. - Link.

[hserus]

In my 20+ years doing security for very large cloud services, I've seen these and worse. I won't say there isn't a lot of incompetence and/or malice spread across many players. I will definitely also say that there are a lot of people out there doing very good work. Just reading headlines to cherry pick disasters may not always give you the whole picture.

[GTO]

Honda drops a line & clarifies that data was vulnerable, but it wasn't stolen / leaked:

Quote:

Our initial investigation has revealed that some data on the AWS server was vulnerable and we regret the same. It has now been secured with the help of our cyber security experts.

As per the current investigation and data collected, there are no indicators so far to suggest that there has been any leakage of the data.

[mxh]

In the light of this data leak I don't want any of my data with Honda and I want to delete my account along with the data but there is no option to do so! Any way to achieve this?