Garmin Ltd.-owned Italian marine navigation firm Navionics SpA inadvertently exposed 19 gigabytes worth of sensitive customer and product data after a misconfiguration incident on its MongoDB platform last month, according to a blog post by cybersecurity firm Hacken.
The incident reportedly exposed 261,259 unique customers, including email addresses, names in some cases, purchased products IDs, and user IDs. Apart from customer data, the database also included information like application version and platform used, device ID, longitude and latitude, boat speed, a navigation device, horizontal accuracy, and other navigation details.
Bob Diachenko, Hacken's cyber risk research director, discovered the incident on Sept. 10 and said he sent a responsible disclosure notification to Navionics when he identified the owner of the dataset the next day.
In a statement to Hacken, Navionics said it "takes data protection very seriously" and that it has "immediately investigated and resolved the vulnerability."
The company also confirmed that none of its records or data were accessed, exfiltrated or lost. Navionics said it e-mailed affected customers by Oct. 8.
Hacken said the incident is unlikely to affect current Navionics customers because the database remained intact upon discovery of the incident.
Garmin acquired Navionics in October 2017.