Attacks/Breaches

6/1/2011
11:45 AM
50%
50%

Honda Data Breach Triggers Lawsuit

The class action suit accuses Honda of putting 283,000 customers at risk, in part by waiting two months to inform them of the data exposure.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Beware storing outdated customer data on websites. Honda Canada is learning that lesson the hard way, after a March breach in which 283,000 customers' details were exposed. Honda began informing affected customers by mail in May.

"The information that may have been accessed was related to a series of customer mail programs encouraging customers to register at the myHonda website," according to a statement posted on the Honda website. "The mailings all took place in 2009, however; the unauthorized access took place recently. Upon detection, immediate action was taken to prevent further unauthorized access."

The exposed information included names, addresses, and vehicle identification numbers (VINs) for Honda and Acura owners, as well as Honda Financial Services (HFS) account numbers. According to news reports, attackers accessed personalized website pages that Honda built with pre-populated customer data before inviting those customers in 2009 to access and customize the pages. As a result, even customers who hadn't signed up for myHonda may still have had their details compromised.

The breach parallels a December 2010 breach at Honda America that exposed similar information for 4.9 million customers of Honda and its Acura subsidiary. It's also similar to one of the attacks against Sony, revealed last month, in which hackers stole 2,500 records relating to a 2001 sweepstakes, stored on what Sony said was an "out of date and inactive" website.

As with the Sony breach, lawyers for Honda customers filed a class action lawsuit on behalf of affected customers, seeking 200 million Canadian dollars ($206 million). The claim says that the breach exposed customers to "theft of their identity, theft from their bank accounts, and theft from their debit and credit cards." It also says that Honda failed to disclose the breach to customers "in a reasonable amount of time."

But in its data breach disclosure letter to customers, dated May 13, Honda said that the stolen data isn't of the type typically exploited by identity thieves. "The information did not include any data that would typically be used for identity theft or fraud such as birth dates, telephone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, social insurance numbers, or dollar amounts of HFS financing or payments." All the same, Honda recommended that customers stay "alert for marketing campaigns from third parties that reference your ownership of a Honda vehicle."

Why, however, was there a two-month delay between detecting the breach and notifying customers? A Honda official told Canadian Business that the company needed "to fully gauge the gravity of the situation and determine exactly what information had been stolen."

Honda's data breach apparently also puts the company in violation of Canadian law. "Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased, or made anonymous," said David Elder, a lawyer at Ottawa-based law firm Stikeman Elliot, in a blog post.

He said that with proper planning, the Honda breach would have been "entirely avoidable." But the onus is on companies that retain any identifying information on customers to ensure that the information gets deleted in a timely manner. "All businesses that collect and retain such information should develop--and implement--a comprehensive data retention policy, setting out clearly justifiable retention periods for various data elements and mandating destruction after the expiry of these periods," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7679
PUBLISHED: 2018-06-21
Micro Focus Solutions Business Manager versions prior to 11.4 when ASP.NET is configured with execute permission on the virtual directories and does not validate the contents of user avatar images, could lead to remote code execution.
CVE-2018-7680
PUBLISHED: 2018-06-21
Micro Focus Solutions Business Manager versions prior to 11.4 can reflect back HTTP header values.
CVE-2018-7681
PUBLISHED: 2018-06-21
Micro Focus Solutions Business Manager versions prior to 11.4 allows JavaScript to be embedded in URLs placed in "Favorites" folder. If the user has certain administrative privileges then this vulnerability can impact other users in the system.
CVE-2018-7683
PUBLISHED: 2018-06-21
Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files.
CVE-2018-12617
PUBLISHED: 2018-06-21
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a craf...