Friday, May 27, 2011
Update: Honda Canada breach exposed data on 280,000 individuals
By Jaikumar Vijayan
May 26, 2011 05:05 PM ET
Company says ID theft unlikely because no SSNs, driver license details, birth dates, bank details were compromised
Computerworld - Honda Canada has notified about 280,000 customers in that country of a data breach involving the compromise of their personal data.
The breach was discovered in late February. However the company only began notifying customers of the compromise earlier this month.
An undated alert posted on the company's Web site said the incident involved the unauthorized access of customer names, addresses, vehicle identification numbers, and in the case of a small number of customers, their Honda Financial Services account numbers.
Jerry Chenkin, executive vice president of Honda Canada, said Thursday the reason for the delay was because the company needed time to figure out the scope of the breach before it could begin notifying customers.
According to Chenkin, unknown intruders breached a Web server that allows Honda and Acura customers in Canada to set up personal MyHonda and MyAcura Web sites.
Honda had contacted about 280,000 customers via a mail campaign in 2009 asking them to register their personal Web sites. As part of that campaign, Honda had pre-populated each personal Web page with details about the owner and his or her vehicles. Data from these personal sites is what appears to have been illegally accessed, Chenkin said.
Honda's IT staff discovered the breach when they were investigating the cause of unusual activity going on in the Web server hosting the MyHonda and MyAcura sites, he said.
Once the breach we discovered, the system was immediately taken offline, while the cause and scope of the breach was identified, Chenkin said.
The data that was exposed is unlikely to result in identity theft because it did not include details such as Social Security numbers, driver's license information, birth dates, phone numbers or credit card numbers, Honda said in its notice.
The note warned affected customers to be on the lookout for phishing campaigns referencing their ownership of a Honda vehicle. But for the moment, customers do not have to take any measures to protect themselves, the company said.
News of the breach was first reported by DataBreaches.net . An unnamed reader quoted in the DataBreaches report claimed to have received Honda's notification letter on May 13. "It appears that even if you didn't create an account on their web sites, if they mailed you about upcoming specials in 2009, your data were involved," the blog noted.
Chenkin said Honda has taken several steps to ensure such an incident doesn't happen again. He did not elaborate.
Pretty scarry stuff, for those who are interested in how to help spot or protect yourself from internet fraud, here's a link to a 'how stuff works' article;