Unsecured online database exposes details of millions of cars and their owners
Researchers from the Kromtech Security Research Center have discovered an unprotected database online that includes information on about 10 million cars sold in the US.
As well as data such as VIN and details of payment plans, the database also includes detailed information about owners, such as name, address, phone numbers and occupation. It has been left exposed online for over four months, but it's not clear who the owner is -- or how to address the security risk it poses.
COO of Kromtech, Bob Diachenko, says that while the owner of the database is not yet known, it appears to have been compiled from marketing data from a range of auto dealers across the US. He says: "The database has been online for more than 137 days now. Security Researchers have yet to identify the owner of the database and asking for anyone from the exposed dealerships or the potential owner to contact us."
HelpNetSecurity explains that the database includes three separate sets of data:
- Vehicle details: Vehicle Identification Number (VIN), make, model, model year, vehicle color, mileage, etc.
- Sales details: VIN, mileage odometer, sales gross, pay type, monthly payment amount, purchase price, payment type, etc.
- Customer details: Full name, address, mobile / home / work phones, email, birth date, gender, occupation, etc.
There are a number of risks associated with the exposure of this database. The revelation of VINs could allow for the creation of duplicate keys by authorized people, while the exposure of detailed customer information opens up the distinct possibility of phishing scams.