Honda Canada Loses 283,000 Customers Personal Records

Following the high profile data breach recently experienced by Japans Sony Corporation, Honda Canada has reported that it has also suffered from a massive data breach compromising the account details of hundreds of thousands of customers.

Honda Canada disclosed the loss of more than 283,000 records on May 26. Letters mailed to affected customers on May 13 explained that the information was stolen in end of Feb 2011, when hackers broke into the myHonda and myAcura websites.

The breach was discovered in late February. However, the company only began notifying customers of the compromise earlier this month. The company says identification theft is unlikely because no SSNs, driver license details, birth dates or bank details were compromised.

Jerry Chenkin, executive vice president of Honda Canada, said that the reason for the delay was because the company needed time to figure out the scope of the breach before it could begin notifying customers.

An undated alert posted on the company's Web site said the incident involved the unauthorized access of customer names, addresses, vehicle identification numbers, and in the case of a small number of customers, their Honda Financial Services account numbers.

The breach involved data that was on a mailing list used by Honda in 2009 for a marketing program. "The mailings all took place in 2009; however, the unauthorized access took place recently," the company claimed in its alert.

Honda had contacted about 280,000 customers via a mail campaign in 2009 asking them to register their personal Web sites. As part of that campaign, Honda had pre-populated each personal Web page with details about the owner and his or her vehicles. Data from these personal sites is what appears to have been illegally accessed, Chenkin said.

According to Chenkin, unknown intruders breached a Web server that allows Honda and Acura customers in Canada to set up personal myHonda and myAcura Web sites. Honda's IT staff discovered the breach when they were investigating the cause of unusual activity going on in the Web server hosting the MyHonda and MyAcura sites, he said.

Once the breach we discovered, the system was immediately taken offline while the cause and scope of the breach was identified, Chenkin said. The note warned affected customers to be on the lookout for phishing campaigns referencing their ownership of a Honda vehicle. Honda emphasized that it does not share customer data with unauthorized third parties and does not contact customers asking for financial information. But for the moment, customers do not have to take any measures to protect themselves, the company said.

We would like to apologize for this incident and assure our customers that the protection and safe-keeping of your information is a responsibility that we take very seriously, it said.

In January this year, American Honda Motor Corp., Inc. reported similar instances of data breach involving email addresses, phone numbers, bank account numbers, license plate and chassis numbers of more than 2.2 million customers, who were mostly Japanese, after an enormous database containing sensitive personal information about the customers was hacked.

The number of cyber attacks is only going to increase if organizations and companies fail to pay attention to the vulnerabilities of their network security. One proven way to mitigate information security risks is through technical security training that will enhance the skills proficiency of the cyber security workforce. EC-Council has launched the Center of Advanced Security Training (CAST) to address the deficiency of technically proficient information security professionals.

CAST will provide advanced technical security training covering topics such as advanced penetration testing training, Digital Mobile Forensics, Cryptography, Advanced Network Defense, and advanced application security training, among others. These highly sought after and lab-intensive Information Security training courses will be offered at all EC-Council-hosted conferences and events, and through specially selected authorized training centres.