11:45 AM

Honda Data Breach Triggers Lawsuit

The class action suit accuses Honda of putting 283,000 customers at risk, in part by waiting two months to inform them of the data exposure.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Beware storing outdated customer data on websites. Honda Canada is learning that lesson the hard way, after a March breach in which 283,000 customers' details were exposed. Honda began informing affected customers by mail in May.

"The information that may have been accessed was related to a series of customer mail programs encouraging customers to register at the myHonda website," according to a statement posted on the Honda website. "The mailings all took place in 2009, however; the unauthorized access took place recently. Upon detection, immediate action was taken to prevent further unauthorized access."

The exposed information included names, addresses, and vehicle identification numbers (VINs) for Honda and Acura owners, as well as Honda Financial Services (HFS) account numbers. According to news reports, attackers accessed personalized website pages that Honda built with pre-populated customer data before inviting those customers in 2009 to access and customize the pages. As a result, even customers who hadn't signed up for myHonda may still have had their details compromised.

The breach parallels a December 2010 breach at Honda America that exposed similar information for 4.9 million customers of Honda and its Acura subsidiary. It's also similar to one of the attacks against Sony, revealed last month, in which hackers stole 2,500 records relating to a 2001 sweepstakes, stored on what Sony said was an "out of date and inactive" website.

As with the Sony breach, lawyers for Honda customers filed a class action lawsuit on behalf of affected customers, seeking 200 million Canadian dollars ($206 million). The claim says that the breach exposed customers to "theft of their identity, theft from their bank accounts, and theft from their debit and credit cards." It also says that Honda failed to disclose the breach to customers "in a reasonable amount of time."

But in its data breach disclosure letter to customers, dated May 13, Honda said that the stolen data isn't of the type typically exploited by identity thieves. "The information did not include any data that would typically be used for identity theft or fraud such as birth dates, telephone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, social insurance numbers, or dollar amounts of HFS financing or payments." All the same, Honda recommended that customers stay "alert for marketing campaigns from third parties that reference your ownership of a Honda vehicle."

Why, however, was there a two-month delay between detecting the breach and notifying customers? A Honda official told Canadian Business that the company needed "to fully gauge the gravity of the situation and determine exactly what information had been stolen."

Honda's data breach apparently also puts the company in violation of Canadian law. "Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased, or made anonymous," said David Elder, a lawyer at Ottawa-based law firm Stikeman Elliot, in a blog post.

He said that with proper planning, the Honda breach would have been "entirely avoidable." But the onus is on companies that retain any identifying information on customers to ensure that the information gets deleted in a timely manner. "All businesses that collect and retain such information should develop--and implement--a comprehensive data retention policy, setting out clearly justifiable retention periods for various data elements and mandating destruction after the expiry of these periods," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
7 Non-Financial Data Types to Secure
Curtis Franklin Jr., Senior Editor at Dark Reading,  4/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.