"The information that may have been accessed was related to a series of customer mail programs encouraging customers to register at the myHonda website," according to a statement posted on the Honda website. "The mailings all took place in 2009, however; the unauthorized access took place recently. Upon detection, immediate action was taken to prevent further unauthorized access."
The exposed information included names, addresses, and vehicle identification numbers (VINs) for Honda and Acura owners, as well as Honda Financial Services (HFS) account numbers. According to news reports, attackers accessed personalized website pages that Honda built with pre-populated customer data before inviting those customers in 2009 to access and customize the pages. As a result, even customers who hadn't signed up for myHonda may still have had their details compromised.
The breach parallels a December 2010 breach at Honda America that exposed similar information for 4.9 million customers of Honda and its Acura subsidiary. It's also similar to one of the attacks against Sony, revealed last month, in which hackers stole 2,500 records relating to a 2001 sweepstakes, stored on what Sony said was an "out of date and inactive" website.
As with the Sony breach, lawyers for Honda customers filed a class action lawsuit on behalf of affected customers, seeking 200 million Canadian dollars ($206 million). The claim says that the breach exposed customers to "theft of their identity, theft from their bank accounts, and theft from their debit and credit cards." It also says that Honda failed to disclose the breach to customers "in a reasonable amount of time."
But in its data breach disclosure letter to customers, dated May 13, Honda said that the stolen data isn't of the type typically exploited by identity thieves. "The information did not include any data that would typically be used for identity theft or fraud such as birth dates, telephone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, social insurance numbers, or dollar amounts of HFS financing or payments." All the same, Honda recommended that customers stay "alert for marketing campaigns from third parties that reference your ownership of a Honda vehicle."
Why, however, was there a two-month delay between detecting the breach and notifying customers? A Honda official told Canadian Business that the company needed "to fully gauge the gravity of the situation and determine exactly what information had been stolen."
Honda's data breach apparently also puts the company in violation of Canadian law. "Data breaches like these underline the importance of one of the fundamental tenets of Canadian privacy law: that personal information shall be retained only as long as necessary to fulfill the purposes for which it was created or collected and, once no longer required, should be destroyed, erased, or made anonymous," said David Elder, a lawyer at Ottawa-based law firm Stikeman Elliot, in a blog post.
He said that with proper planning, the Honda breach would have been "entirely avoidable." But the onus is on companies that retain any identifying information on customers to ensure that the information gets deleted in a timely manner. "All businesses that collect and retain such information should develop--and implement--a comprehensive data retention policy, setting out clearly justifiable retention periods for various data elements and mandating destruction after the expiry of these periods," he said.
In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).