Unprotected Elasticsearch database belonging to Honda exposes 134 million records of employee data

• The leaky database contained information for over 300,000 employees across the globe, which included employees’ names, email addresses, their last login, their computers' endpoint security vendor network information, OS versions, hostnames, and patch status.
• The database had a table named “uncontrolledmachine” which contained 3,000 entries about Honda’s internal computers that weren't using an endpoint security software.

Security researcher Justin Paine discovered an unprotected Elasticsearch instance belonging to Honda, which was publicly accessible without any authentication.

What was exposed?

The researcher noted that the information contained in the open database appears to be something like an inventory of all Honda internal machines.

• The database contained system information such as machine hostname, MAC address, internal IP address, OS version, patch status, and the status of Honda's endpoint security software.
• The leaky database contained information for over 300,000 employees across the globe, which included employees’ names, email addresses, their last login, their computers' endpoint security vendor network information, OS versions, hostnames, and patch status.
• The database also contained data on computers used by the company's CFO, CSO, and CEO.
• The database had a table named “uncontrolledmachine” which contained 3,000 entries about Honda’s internal computers that weren't using an endpoint security software.

“If an attacker is looking for a way into Honda's network knowing which machines are far less likely to identify/block their attacks would be critical information. These "uncontrolled machines" could very easily be the open door into the entire network,” Paine said.

Paine noted that the data was being updated every day with approximately 40,000 new entries containing information on Honda employees and their systems.

What was the response?

Justin Paine discovered the leaky database on July 4, 2019, and notified Honda about the issue on July 6, 2019. The database was found to be left open for almost 6 days from July 1, 2019, and was secured on July 6, 2019, nearly 10 hours after Paine notified the owner about the database.

“Thank you very much for pointing out the vulnerability. The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers. We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future,” Honda told Paine in a statement.