Honda Canada has notified about 280,000 customers in that country of a data breach involving the compromise of their personal data.
The breach was discovered in late February. However the company only began notifying customers of the compromise earlier this month.
An undated alert posted on the company's website said the incident involved the unauthorized access of customer names, addresses, vehicle identification numbers and, in the case of a small number of customers, their Honda Financial Services account numbers.
Jerry Chenkin, executive vice president of Honda Canada, said Thursday the reason for the delay was that the company needed time to figure out the scope of the breach before it could begin notifying customers.
According to Chenkin, unknown intruders breached a Web server that allows Honda and Acura customers in Canada to set up personal MyHonda and MyAcura websites.
Honda had contacted about 280,000 customers via a mail campaign in 2009 asking them to register their personal websites. As part of that campaign, Honda had pre-populated each personal Web page with details about the owner and his or her vehicles. Data from these personal sites is what appears to have been illegally accessed, Chenkin said.
Honda's IT staff discovered the breach when they were investigating the cause of unusual activity in the Web server hosting the MyHonda and MyAcura sites, he said.
Once the breach was discovered, the system was immediately taken offline while the cause and scope of the breach was identified, Chenkin said.
The data that was exposed is unlikely to result in identity theft because it did not include details such as Social Security numbers, driver's license information, birth dates, phone numbers or credit card numbers, Honda said in its notice.
The note warned affected customers to be on the lookout for phishing campaigns referencing their ownership of a Honda vehicle. But for the moment, customers do not have to take any measures to protect themselves, the company said.
News of the breach was first reported by < target="new" href=" http://www.databreaches.net/?p=18413">DataBreaches.net. An unnamed reader quoted in the DataBreaches report claimed to have received Honda's notification letter on May 13. "It appears that even if you didn't create an account on their web sites, if they mailed you about upcoming specials in 2009, your data were involved," the blog noted.
Chenkin said Honda has taken several steps to ensure that such an incident doesn't happen again. He did not elaborate.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.