Royal Enfield was hacked; motorcycle owners’ financial data is exposed online

After reading this note, you may rather keep using your old bike. Renowned information security researcher Bon Diachenko reported the discovery of a database exposed online, which contained at least 450,000 records belonging to motorcycle company Royal Enfield.

The compromised information include confidential details of the firm’s clients that have a user profile on the Royal Enfield website, including full names, email addresses, phone numbers, encrypted passwords and even links to some social media profiles.

In his report, the information security specialist mentions having found “three IP addresses with misconfigured databases (in other words, with no password or login); the exposed information suggests that the database is owned by Royal Enfield.” In addition, Diachenko ensures that the database includes records of “at least 1,400 privileged customers and distributors”.

A database’s entry
SOURCE: Bob Diachenko

Bob Diachenko mentions that he detected the vulnerability on January 19, and immediately notified the motorcycle company’s information security team. A few hours later, access to the compromised information had been shut down; however, Diachenko believes that the information was exposed for at least two weeks. No representative of Royal Enfield has offered public statements regarding the incident.

Diachenko has collaborated on a number of reports on data breach incidents recently, including government organizations such as the Indian Space Research Organization (ISRO), the Bhabha Atomic Research Center (BARC) and the Securities and Exchanges Board of India (SEBI), which have been compromised by database configuration errors. Affected organizations have been lucky enough to get the reports, although in other cases the compromised information can quickly reach the hands of the threat actors, who sell these stolen databases on multiple malicious hacking forums. Leaked databases are the object of desire of cybercriminals, especially when they include financial information of victims.

According to the International Institute of Cyber Security (IICS), oversights and errors of the administrators of these implementations are the main cause of these incidents, so organizations must update their methods and establish guidelines for stricter data security.