[BreachExchange] Data Breach Involving Mercedes-Benz Exposes SSNs and Credit Card Numbers

Mon Jun 28 12:00:44 EDT 2021

https://heimdalsecurity.com/blog/mercedes-benz-data-breach-exposes-ssns-credit-card-numbers/

It looks like the Mercedes-Benz data breach exposed important information
such as credit card information, social security numbers, and driver
license numbers of under 1,000 Mercedes-Benz customers and potential buyers.
In order to determine how important was the impact that the data breach
created, the company started by assessing 1.6 million customer records
which included customer names, addresses, emails, phone numbers, and
purchased vehicle information.

What Happened?

At the beginning of June, a Mercedes-Benz vendor informed the company that
the personal information of select customers was exposed due to an
insufficiently secured cloud storage instance, and according to the
company, the breach affected some customers and potential vehicle buyers
who had entered sensitive information on Mercedes-Benz company and dealer
websites between 2014 and 2017.

On June 11, 2021, a vendor informed Mercedes-Benz that sensitive personal
information of less than 1,000 Mercedes-Benz customers and interested
buyers was inadvertently made accessible on a cloud storage platform. This
confirmation was part of an ongoing investigation conducted in cooperation
with the vendor. The issue was uncovered through the dedicated work of an
external security researcher. It is our understanding the information was
entered by customers and interested buyers on dealer and Mercedes-Benz
websites between January 1, 2014 and June 19, 2017. No Mercedes-Benz system
was compromised as a result of this incident, and at this time, we have no
evidence that any Mercedes-Benz files were maliciously misused.

Data security is a serious matter for MBUSA. Our vendor confirmed that the
issue is corrected and that such an event cannot be replicated. We will
continue our investigation to ensure that this situation is properly
addressed.

The vendor reports that the personal information for these individuals
(less than 1,000) is comprised mainly of self-reported credit scores as
well as a very small number of driver license numbers, social security
numbers, credit card information and dates of birth. To view the
information, one would need knowledge of special software programs and
tools – an Internet search would not return any information contained in
these files.

The vendor who notified Mercedes-Benz of the data breach states that the
exposed information included self-reported customer credit scores, driver’s
license numbers, Social Security Numbers (SSNs), credit card numbers, and
dates of birth belonging to the customers.

Fortunately, it looks like the leaked information from the Mercedes-Benz
data breach would not have been searchable on or indexed by a typical
search engine.

To view the information, one would need knowledge of special software
programs and tools – an Internet search would not return any information
contained in these files.

After reviewing 1.6 million unique customer records, it was determined that
under 1,000 customers have had their “additional” personal information
exposed via publicly accessible cloud storage solution, and the company is
now contacting all the affected individuals in regards to this incident.

Any individual who had credit card information, a driver’s license number,
or a social security number included in the data will be offered a
complimentary 24-month subscription to a credit monitoring service. We will
also notify the appropriate government agencies.

Not the First Automotive Giant to Suffer a Data Breach

Recently Volkswagen disclosed as well that it was the victim of a massive
data breach that happened after one of its vendors left a cache of customer
data unsecured on the internet.

In this specific incident, the personal data of 3.3 million prospective and
actual Audi customers were exposed on an unnamed third-party vendor’s
database.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210628/db80aa0d/attachment.html>