Honda Canada disclosed the loss of more than 283,000 records this week. Letters mailed to affected customers explained that the information was stolen in March when hackers broke into the myHonda and myAcura websites.
Honda waited over two months to notify its customers, claiming it needed to assess the gravity of the situation and determine exactly what data may have been stolen. While it is important to determine the facts, Honda appears to have been less forthright than they claim.
The letter mailed to Honda customers stated:
"The incident involved the possible improper access of information, as held in our records in 2009, specifically your name, address and Vehicle Identification Number."
A few days later they then appended the statement on their website to say:
"and in a small number of cases, Honda Financial Services ("HFS") account numbers."
The Toronto Star reports that this has triggered a class action lawsuit on behalf of affected customers. The lawyers are suing for $200 million in damages for failure to protect personal and confidential information and failure to notify customers in "a reasonable amount of time."
Similar to one of the Sony attacks, it is being reported that the data was left behind after a mailing campaign in 2009 and not properly deleted. Honda Canada should have been on high alert after a very similar incident at Honda USA.
Honda Canada customers should watch carefully for fraud or contact from parties claiming to be related to Honda or Honda Finance. Fortunately, most of the information that was compromised is public knowledge and did not include birth dates, Social Insurance Numbers or other confidential information.
Has your organization taken the appropriate steps to secure your customers' data? A little encryption can go a long way in protecting you from a data loss incident and as we see here, even lawsuits.
If you would like to learn more about data protection and the types of threats that can compromise your organization, why not download our free Data Security Toolkit?