Canadian security analysts argue that Honda Canada testing and assessment techniques are likely at the heart of the data breach. Plus, why the automaker should have been faster to disclose the news
A data breach that potentially impacted 280,000 Honda Canada Inc. customers could have been dealt with more effectively by the automaker, according to a pair of security experts.
The automaker posted an alert on its Web site this week revealing a data breach involving the authorized access of customer names, addresses, vehicle ID numbers and Honda Financial Services account numbers. The breach has impacted customers of both the Honda and Acura brands.
The information accessed in the breach was related to a 2009 membership program called MyHonda and MyAcura. These customer-facing sites allowed customers to sign up for benefits such as vehicle-specific information, new warranty and maintenance news, and exclusive product information.
While the breach was discovered in February, the company only began sending out notification letters to customers a few weeks ago. Jerry Chenkin, executive vice-president at Honda Canada, said the company delayed telling customers about the breach because it wanted to figure out the scope of the damage first.
Honda Canada spokespeople failed to reply to a request for more information about the breach.
Terry Cutler, a co-founder and chief technology officer at Montreal-based Digital Locksmiths Inc., expressed some concerns over the attack, putting the spotlight on Honda’s testing and assessment processes. He said that because most companies still consider themselves to be “unhackable,” security testing budgets are almost frighteningly low.
Cutler recommends firms like Honda ramp up their “honeypot” traps — a scheme where an organization creates an isolated and monitored network site designed to attract hackers — to help them get a better sense of the types of attacks they need to protect against.
“It gives them an early warning signal,” he said.
Culter said that in wake of the RSA SecureID data breach, enterprises will need to ramp up their testing efforts in order to prevent against a growing wave of network attacks.
“Hopefully this starts to open up some security budgets,” he said. “It’s time to get tested.”
Brian O’Higgins, an Ottawa-based independent security consultant who formally worked as CTO and co-founder at Third Brigade Inc., said another big lesson to come out of the breach should for organizations to move much quicker once discovered a security issue.
“If you suspect a breach, you jump on the notification process as soon as you can,” he said, adding that keeping a lid on things will only do more damage in the future.
“You can’t put your head in the sand,” he added.
For O’Higgins, a better risk management or disaster recovery plan might leave Honda better prepared for a future attack.
And despite a warning from Honda Canada, Cutler said the data breach could lead many customers victimized by phishing and social engineering attacks.
“The hackers will probably e-mail all of those 280,000 customers looking for more valuable information,” he said.
Honda Canada has yet to announce what steps it will take to prevent a future attack.