Attackers Walk With 4.9 Million Customer Records in Honda Breach

December 29, 2010 by The Tech Herald

Is Honda the latest victim of the Silverpop data breach? According to reports, American Honda Motor Company recently discovered that 2.2 million customers were impacted by a data breach exposing the Owner Link email list maintained by an outsourced vendor. In addition, a further 2.7 million records were lost when the My Acura list was hit.

In a letter to customers, American Honda Motor Company said it recently became aware of "unauthorized access to an email list used by a vendor to create a welcome email to customers who have an Owner Link or My Acura vehicle account."

The Owner Link email list contained 2.2 million records, including customer names, email addresses, user names, and Vehicle Identification Numbers. The compromised My Acura list, 2.7 million records strong, only contained email addresses.

"You may be aware of attacks on email marketing systems, therefore we want to assure you that we take the safeguarding of your information seriously and that the appropriate authorities have been contacted regarding this incident. Additionally, we have taken steps to minimize this type of exposure in the future," the letter added.

"As a Company, we encourage you to continue to be aware of the increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information… Also, know that American Honda Motor Co., Inc. will not send you emails asking for your credit card number, social security number or other personal information. If ever asked for this information, you can be confident it is not from us."

Earlier this month, after McDonalds, Walgreens, and deviantART alerted customers and users to email list breaches, The Register reported that the FBI was investigating the incidents. In addition, The Register added that it was possible more than 100 companies could have been hit. Each company is a customer of Silverpop Systems, an Atlanta-based email service provider.

The Tech Herald has reached out to the FBI in search of more information.

In September of 2009, American Honda Motor Company presented Silverpop with its Premier Partnership Award for "excellence in supporting Honda's email marketing efforts." [Source]

Unless things have changed, this leads one to conclude that it has become the latest victim in the raid on Silverpop’s network. However, aside from the press release, Silverpop has made no comment regarding the Honda incident.

When it comes to public statements connected to the data breach, Silverpop will only reference two statements on its company blog.

"The media has recently been covering the security disclosures of several large brands. It is important to clarify that several of these large brands have never been Silverpop customers," Silverpop CEO Bill Nussey said in a statement on December 15.

However, in an email to users, deviantART named Silverpop directly, saying: "Silverpop Systems, Inc., a leading marketing company that sends email messages for its clients, told us that information was taken from its servers. This was probably part of a sweep by spammers. As a result, email addresses belonging to deviantART members were copied. Corresponding usernames and birth date may also have been removed."

In a separate statement, fast-food chain McDonalds told The Tech Herald that the email provider it used was Arc Worldwide, a Silverpop partner. [Source] "We have been informed by one of our long-time business partners, Arc Worldwide, that limited customer information collected in connection with certain McDonald’s websites and promotions was obtained by an unauthorized third party. Arc retained the services of an email database management firm whose computer systems were improperly accessed by a third party."

Walgreens is the only odd duck. When we approached it, a spokesperson clearly denied connection, insisting that: "No, the Walgreens incident isn't related in any way to the Arc Worldwide breach."

We’ll follow the data breach investigation and update as needed. For

now, it looks as if Walgreens is the only company that has lost an email list not somehow related to Silverpop.