Garmin's Navionics exposed data belonging to thousands of customers

An unsecured MongoDB server containing 19GB in customer and product data was exposed online.
Written by Charlie Osborne, Contributing Writer

Garmin-owned Navionics has inadvertently exposed data belonging to thousands of customers.

Bob Diachenko, Hacken.io director of cyber risk research, discovered the unsecured database on September 10, one day after search engine Shodan indexed the storage system.

The database contained 19GB in information relating to products and customers, including 261,259 unique customer records. These records contained email addresses, some names, purchased products IDs, and user IDs.

In addition, the database also contained customer software data such as application version, the platform used, device ID, longitude and latitude, boat speed, and other navigation details.

Navionics boasts the "world's number one boating app" which includes cartography for marine and lakes suitable for cruising, fishing, and sailing.

Garmin acquired the Italian electronic marine navigation charts company in October for an undisclosed amount. The brand was retained and existing customers were promised ongoing support.

CNET: Macy's breach exposed customer data, credit card numbers

According to Diachenko, the data leak was caused by MongoDB misconfiguration. Without any security measures to speak of, such as authentication credentials, this permitted anyone to access the database and exfiltrate data.

The security researcher reported his findings to Navionics on September 11 and the company secured the database on the same day.

TechRepublic: A data breach may be more expensive than you think, thanks to these hidden costs

"Navionics takes data protection very seriously, and we are grateful that Mr. Diachenko notified us of this misconfiguration using the responsible disclosure model," the company said. "Once notified, we immediately investigated and resolved the vulnerability."

Navionics says that there is no evidence of the information being accessed or stolen. However, the company has notified affected customers to be on the safe side.

See also: Heathrow Airport fined £120,000 over USB data breach debacle

"Luckily, the database remained intact when I discovered it, so this incident should not affect current Navionics customers," Diachenko said. "As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public."

"In this case, it appears to have only exposed some pieces of personal information, but for others, it could be critical intellectual property or even your entire subscriber base that could be exposed," the researcher added.

MongoDB databases which are outdated or lack basic password protection are a common cause of inadvertent data breaches. In September, an unsecured database owned by an email marketing was found to contain 11 million records belonging to customers which were exposed online.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards