Data breach affects 4.9 million Honda customers

Victims include 2.2 million U.S. car owners whose names, e-mail addresses and unique vehicle numbers were revealed after a third-party vendor's database was hacked. Sophos warns of ensuing phishing scams following the leak.
Written by Vivian Yeo, Contributor

Japanese automaker Honda has put some 2.2 million customers in the United States on a security breach alert after a database containing information on the owners and their cars was hacked, according to reports.

The compromised list contained names, login names, e-mail addresses and 17-character Vehicle Identification Number--an automotive industry standard--which was used to send welcome e-mail messages to customers that had registered for an Owner Link account.

Another 2.7 million My Acura account users were also affected by the breach, but Honda said the list contained only e-mail addresses. Acura is the company's luxury vehicle brand.

According to Honda's notification e-mail to affected customers, the list was managed by a vendor. All Things Digital suggested, but could not confirm, that the vendor in question is e-mail marketing firm Silverpop Systems, which has been linked with the recent hacking incidents including that of fast-food giant McDonald's.

In a Web page addressing affected customers, Honda said it would be "difficult" for a victim's identity to be stolen based on the information that had been leaked. However, it has warned that customers ought to be wary of unsolicited e-mail messages requesting for personal information such as social security or credit card numbers.

Compelling scams an 'obvious danger'
Graham Cluley, senior technology consultant at Sophos, pointed out that cybercriminals who possess the list may e-mail the car owners to trick them into clicking on malicious attachments or links, or fool them into handing over personal information.

"If the hackers were able to present themselves as Honda, and reassured you that they were genuine by quoting your Vehicle Identification Number, then as a Honda customer you might very likely click on a link or open an attachment," he explained in a blog post.

Acura customers, he added, could also be on the receiving end of spam campaigns.

Cluley noted that the incident serves as a reminder that companies not only need to have adequate measures in place to protect customer data in their hands, they also need their partners and third-party vendors to "follow equally stringent best practices".

"It may not be your company [that] is directly hacked, but it can still be your customers' data that ends up exposed, and your brand name that is tarnished," he said.

Editorial standards