Attackers walk with 4.9 million customer records in Honda breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.thetechherald.com/article.php/201052/6623/Attackers-walk-with-4-9-million-customer-records-in-Honda-breach

Is Honda the latest victim of the Silverpop data breach? According to
reports, American Honda Motor Company recently discovered that 2.2
million customers were impacted by a data breach exposing the Owner
Link email list maintained by an outsourced vendor. In addition, a
further 2.7 million records were lost when the My Acura list was hit.

In a letter to customers, American Honda Motor Company said it
recently became aware of “unauthorized access to an email list used by
a vendor to create a welcome email to customers who have an Owner Link
or My Acura vehicle account.”

The Owner Link email list contained 2.2 million records, including
customer names, email addresses, user names, and Vehicle
Identification Numbers. The compromised My Acura list, 2.7 million
records strong, only contained email addresses.

“You may be aware of attacks on email marketing systems, therefore we
want to assure you that we take the safeguarding of your information
seriously and that the appropriate authorities have been contacted
regarding this incident. Additionally, we have taken steps to minimize
this type of exposure in the future,” the letter added.

“As a Company, we encourage you to continue to be aware of the
increasingly common email scams that may use your email address to
contact you and ask for personal or sensitive information… Also, know
that American Honda Motor Co., Inc. will not send you emails asking
for your credit card number, social security number or other personal
information. If ever asked for this information, you can be confident
it is not from us.”

Earlier this month, after McDonalds, Walgreens, and deviantART alerted
customers and users to email list breaches, The Register reported that
the FBI was investigating the incidents. In addition, The Register
added that it was possible more than 100 companies could have been
hit. Each company is a customer of Silverpop Systems, an Atlanta-based
email service provider.

The Tech Herald has reached out to the FBI in search of more information.

In September of 2009, American Honda Motor Company presented Silverpop
with its Premier Partnership Award for “excellence in supporting
Honda's email marketing efforts.” [Source]

Unless things have changed, this leads one to conclude that it has
become the latest victim in the raid on Silverpop’s network. However,
aside from the press release, Silverpop has made no comment regarding
the Honda incident.

When it comes to public statements connected to the data breach,
Silverpop will only reference two statements on its company blog.

“The media has recently been covering the security disclosures of
several large brands. It is important to clarify that several of these
large brands have never been Silverpop customers,” Silverpop CEO Bill
Nussey said in a statement on December 15.

However, in an email to users, deviantART named Silverpop directly,
saying: “Silverpop Systems, Inc., a leading marketing company that
sends email messages for its clients, told us that information was
taken from its servers. This was probably part of a sweep by spammers.
As a result, email addresses belonging to deviantART members were
copied. Corresponding usernames and birth date may also have been
removed.”

In a separate statement, fast-food chain McDonalds told The Tech
Herald that the email provider it used was Arc Worldwide, a Silverpop
partner. [Source]
“We have been informed by one of our long-time business partners, Arc
Worldwide, that limited customer information collected in connection
with certain McDonald’s websites and promotions was obtained by an
unauthorized third party. Arc retained the services of an email
database management firm whose computer systems were improperly
accessed by a third party.”

Walgreens is the only odd duck. When we approached it, a spokesperson
clearly denied connection, insisting that: “No, the Walgreens incident
isn't related in any way to the Arc Worldwide breach.”

We’ll follow the data breach investigation and update as needed. For
now, it looks as if Walgreens is the only company that has lost an
email list not somehow related to Silverpop.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/