Navionics, the Italian manufacturer of shipping navigation units which is owned by Garmin, recently suffered a major data breach that exposed the information of thousands of customers.
Navionics gives users access to marine navigation charts in real-time, through what they call the “world’s largest cartography database”. The company was recently aquired by Garmin, who specialise in providing GPS technology for travel and sports.
A researcher at Hacken.io found that the company’s MongoDB database was unsecured, meaning that the 19GB of customer information in the database could be accessed and downloaded by anyone. Hacken.io released their findings in a blog post.
The database contained more than 260,000 records, which included customer names, email addresses and also inforation about user’s boats, which may have been updating in real-time.
In response to the discovery, Navionics immediately shut down the server and issued a statement:
Navionics takes data protection very seriously, and we are grateful that Mr. Diachenko notified us of this misconfiguration using the responsible disclosure model.
Once notified, we immediately investigated and resolved the vulnerability. Following our investigation, we confirmed that none of the records or data were otherwise accessed or exfiltrated, and none of the data was lost. Even so, Navionics still notified affected customers via e-mail by October 8, 2018.
The researcher responsible for the discovery praised the company for their swift response:
Luckily, the database remained intact when I discovered it, so this incident should not affect current Navionics customers. I applaud Navionics/Garmin rapid response to the issue, they immediately took down that server upon notification and began investigating.
However, he also cautioned companies who might have similarly unsecured databases:
The main takeaway from this is the importance of security at every stage of your development process. It should not even be argued that your development network must be one of your most secure networks, for it contains your intellectual property. As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public. In this case, it appears to have only exposed some pieces of personal information, but for others, it could be critical intellectual property or even your entire subscriber base that could be exposed.
As these sorts of data breaches are discovered more often, it’s to be hoped that companies will take the hint and began investing in overhauls of their security practices—for the sake of their reputations as well as their customers.