14 DAY TRIAL // Honda Canada is facing a $200 million class action lawsuit after announcing earlier this month that the personal information of 283,000 of its customers has been compromised.
The company sent notification letters to affected individuals on May 13, informing them that their names, addresses, Vehicle Identification Numbers (VIN), and Honda Financial Services (HFS) account numbers have been exposed.
The data breach was the result of an intrusion on the myAcura and myHonda websites that occurred back in February.
According to The Toronto Star, Flaherty Dow Elliott & McCarthy, a Toronto-based law firm has already filed a complaint against Honda Canada and its affiliates, claiming the breach exposes clients to identity theft.
The lawsuit was filed in the name of one Brian Scholes of Peterborough, but seeks class action status. Honda Canada is accused of failing to adequately protect customer data and to notify customers of the incident in a timely manner.
It took several months since the compromise was discovered until the affected individuals were informed, and Honda claims it needed the time to properly establish the circumstances of the breach.
The complaint also claims that Honda Canada should have tested its websites after Honda America had its myAcura website compromised last December.
The Japanese car maker's Canadian subsidiary maintains that no information that would directly facilitate identity theft or fraud has been exposed, but the complaint says these risks are real.
At the least, the leaked personal information could be used to mount believable phishing attacks with the purpose of extracting more sensitive information from Honda customers.
The company has warned customers to be wary of spam that might make use of the information and not hand over their financial information to entities claiming to be Honda.
This alert was also issued earlier this month, a long time after the initial breach, which gave attackers ample time to misuse the information in attacks. As a study showed last year, the most critical time for a phishing attack is the first hour.