Sophos Cloud Optix
American Honda says it has contacted millions of its customers after hackers stole a database containing names, email addresses, and VINs (the Vehicle Identification Number, or unique 17 character ID for your motor vehicle).
The obvious danger is that cybercriminals might use the list to send out emails to Honda customers, designed to trick them into clicking on malicious attachments or links, or fool them into handing over personal information. After all, if the hackers were able to present themselves as Honda, and reassured you that they were genuine by quoting your Vehicle Identification Number, then as a Honda customer you might be very likely to click on a link or open an attachment.
For that reason, Honda has contacted all of the 2.2 million customers it believes may have been affected by the security breach.
According to a report by the Columbus Dispatch, the data was stolen from a third-party company who sent out “Welcome” emails to customers who created accounts with the firm.
A further 2.7 million customers of Honda’s luxury Acura car brand were also exposed by hackers from a separate list, although in that case only email addresses are said to have been stolen by hackers.
Nevertheless, the email addresses could be used for sending out spam campaigns and customers are unlikely to view the data breach sympathetically if they find themselves the target of unwanted email marketing campaigns from spammers and phishers.
Honda has published further information and an FAQ for affected customers on its website.
There’s an important lesson that more companies can learn from cases like this. You don’t just need to ensure that you are taking enough care about the security and protection of the private customer data you store – you also need your partners and third-party vendors to follow equally stringent best practices.
It may not be your company who is directly hacked, but it can still be your customers’ data that ends up exposed, and your brand name that is tarnished.
We own a Honda. According to the email we got, "American Honda Motor Co., Inc. recently became aware of unauthorized access to an email list used by a vendor of customers who receive special offers and newsletters from Acura. We want to assure you that the only information that was obtained was your email address."
So according to Honda, there's NO mention of the VIN being revealed or anything other than our email. Want to bet which version is accurate? I just hope they didn't also reveal social security numbers or more!
Full disclosure, Honda!
who is next on the hack list? anyone left?
Why does the technology and general media refuse to name
the company from which Honda data files were hacked, or the
software technology used by said company so that other businesses
in USA can avoid using this company or any other identified as
using poor or weak security tools on behalf of their clients.
Somehow I suspect that the media may have be intimidated about
releasing names, which is a sad tactic of Microsoft in the past
about revealing how insecure it’s software is in computer
breaches. Witness 7-Eleven and TJMax debacles.
Nevertheless, the contact information could be used for delivering out junk strategies and clients are unlikely to view the data violation sympathetically if they find themselves the focus on of undesirable marketing via e-mail from spammers and phishers.