11:45 AM

Honda Data Breach Triggers Lawsuit

The class action suit accuses Honda of putting 283,000 customers at risk, in part by waiting two months to inform them of the data exposure.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Beware storing outdated customer data on websites. Honda Canada is learning that lesson the hard way, after a March breach in which 283,000 customers' details were exposed. Honda began informing affected customers by mail in May.

"The information that may have been accessed was related to a series of customer mail programs encouraging customers to register at the myHonda website," according to a statement posted on the Honda website. "The mailings all took place in 2009, however; the unauthorized access took place recently. Upon detection, immediate action was taken to prevent further unauthorized access."

The exposed information included names, addresses, and vehicle identification numbers (VINs) for Honda and Acura owners, as well as Honda Financial Services (HFS) account numbers. According to news reports, attackers accessed personalized website pages that Honda built with pre-populated customer data before inviting those customers in 2009 to access and customize the pages. As a result, even customers who hadn't signed up for myHonda may still have had their details compromised.

The breach parallels a December 2010 breach at Honda America that exposed similar information for 4.9 million customers of Honda and its Acura subsidiary. It's also similar to one of the attacks against Sony, revealed last month, in which hackers stole 2,500 records relating to a 2001 sweepstakes, stored on what Sony said was an "out of date and inactive" website.

As with the Sony breach, lawyers for Honda customers filed a class action lawsuit on behalf of affected customers, seeking 200 million Canadian dollars ($206 million). The claim says that the breach exposed customers to "theft of their identity, theft from their bank accounts, and theft from their debit and credit cards." It also says that Honda failed to disclose the breach to customers "in a reasonable amount of time."

But in its data breach disclosure letter to customers, dated May 13, Honda said that the stolen data isn't of the type typically exploited by identity thieves. "The information did not include any data that would typically be used for identity theft or fraud such as birth dates, telephone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, social insurance numbers, or dollar amounts of HFS financing or payments." All the same, Honda recommended that customers stay "alert for marketing campaigns from third parties that reference your ownership of a Honda vehicle."

Why, however, was there a two-month delay between detecting the breach and notifying customers? A Honda official told Canadian Business that the company needed "to fully gauge the gravity of the situation and determine exactly what information had been stolen."

Honda's data breach apparently also puts the company in violation of Canadian law. "Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased, or made anonymous," said David Elder, a lawyer at Ottawa-based law firm Stikeman Elliot, in a blog post.

He said that with proper planning, the Honda breach would have been "entirely avoidable." But the onus is on companies that retain any identifying information on customers to ensure that the information gets deleted in a timely manner. "All businesses that collect and retain such information should develop--and implement--a comprehensive data retention policy, setting out clearly justifiable retention periods for various data elements and mandating destruction after the expiry of these periods," he said.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.