Garmin-owned navigation company accidentally exposed data of thousands of boat owners
- The firm exposed a database that contained 19GB of information relating to its products and customers.
- The unsecured MongoDB server contained 261,259 unique records, including email addresses, product IDs, user IDs and more.
An Italian electronic marine navigation charts manufacturer, Navionics, which was recently acquired by Garmin, inadvertently exposed customer and corporate information. The firm was found using a misconfigured MongoDB server that left 19GB of information relating to its products and clients, accessible to anyone on the internet.
The unsecured MongoDB server contained 261,259 unique records, including email addresses, product IDs, user IDs and more. Navionics primary products offer boats, yachts and ship-owners access to real-time navigational charts.
According to Hacken io’s director of cyber risk research Bob Diachenko, who discovered the unsecured cloud server, the data exposed also includes device IDs, boat speed, location data, and other navigational information. Diachenko said that once he notified Navionics of the breach, they immediately secured the data on the same day, which was lauded by the researcher.
“Navionics takes data protection very seriously, and we are grateful that Mr. Diachenko notified us of this misconfiguration using the responsible disclosure model. Once notified, we immediately investigated and resolved the vulnerability,” Navionics said in a statement. “Following our investigation, we confirmed that none of the records or data were otherwise accessed or exfiltrated, and none of the data was lost. Even so, Navionics still notified affected customers via e-mail by October 8, 2018.”
“Luckily, the database remained intact when I discovered it, so this incident should not affect current Navionics customers,” Diachenko wrote in a blog. “As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public. In this case, it appears to have only exposed some pieces of personal information, but for others, it could be critical intellectual property or even your entire subscriber base that could be exposed.”