Honda Canada breach highlights lax testing, expert says

A data breach that potentially impacted 280,000 Honda Canada Inc. customers could have been dealt with more effectively by the automaker, according to a pair of security experts.

The automaker posted an alert on its Web site this week revealing a data breach involving the authorized access of customer names, addresses, vehicle ID numbers and Honda Financial Services account numbers. The breach has impacted customers of both the Honda and Acura brands.

The information accessed in the breach was related to a 2009 membership program called MyHonda and MyAcura. These customer-facing sites allowed customers to sign up for benefits such as vehicle-specific information, new warranty and maintenance news, and exclusive product information.

While the breach was discovered in February, the company only began sending out notification letters to customers a few weeks ago. Jerry Chenkin, executive vice-president at Honda Canada, said the company delayed telling customers about the breach because it wanted to figure out the scope of the damage first.

Honda Canada spokespeople failed to reply to a request for more information about the breach.

Terry Cutler, a co-founder and chief technology officer at Montreal-based Digital Locksmiths Inc., expressed some concerns over the attack, putting the spotlight on Honda’s testing and assessment processes. He said that because most companies still consider themselves to be “unhackable,” security testing budgets are almost frighteningly low.

Cutler recommends firms like Honda ramp up their “honeypot” traps — a scheme where an organization creates an isolated and monitored network site designed to attract  hackers — to help them get a better sense of the types of attacks they need to protect against.

“It gives them an early warning signal,” he said.

Culter said that in wake of the RSA SecureID data breach, enterprises will need to ramp up their testing efforts in order to prevent against a growing wave of network attacks.

“Hopefully this starts to open up some security budgets,” he said. “It’s time to get tested.”

Brian O’Higgins, an Ottawa-based independent security consultant who formally worked as CTO and co-founder at Third Brigade Inc., said another big lesson to come out of the breach should for organizations to move much quicker once discovered a security issue.

“If you suspect a breach, you jump on the notification process as soon as you can,” he said, adding that keeping a lid on things will only do more damage in the future.

“You can’t put your head in the sand,” he added.

For O’Higgins, a better risk management or disaster recovery plan might leave Honda better prepared for a future attack.

And despite a warning from Honda Canada, Cutler said the data breach could lead many customers victimized by phishing and social engineering attacks.

“The hackers will probably e-mail all of those 280,000 customers looking for more valuable information,” he said.

Honda Canada has yet to announce what steps it will take to prevent a future attack.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now