[BreachExchange] Mercedes-Benz US 'accidentally' Leaks Confidential Data Of 1, 000 Customers: Report

[Sophia Kingsbury]

https://www.republicworld.com/world-news/us-news/mercedes-benz-us-accidentally-leaks-confidential-data-of-1000-customers-report.html

Mercedes-Benz USA on June 24 accidentally leaked the confidential data of
at least 1,000 buyers and interested purchasers. The information breach
occurred for the customer data recorded with the corporation between
January 2014 and June 2017. The luxury carmaker inadvertently made the
customers’ credit scores, driver's license and social security numbers, and
credit card information accessible on the cloud storage platform. Although,
the luxury carmaker stated that none of the personal information was
maliciously used or compromised.

According to multiple reports on Thursday, Mercedes told the customers that
fell victim to the breach with respect to their credit card information,
driver's license number, and SSN that it will be giving them a two-year
complimentary subscription to the credit monitoring service, reassuring
that none of the information was compromised and no files were accessed.

In a similar kind of breach in May, Mercedes-Benz’s source code for its
"smart car" components had reportedly leaked online. This was highlighted
after a Swiss-based software engineer discovered a Git web portal that
belonged to Daimler AG [the automaker for the Mercedes-Benz car brand]
wherein he was able to register an account on the code-hosting portal and
download more than 580 Git repositories that contained the source code for
Mercedes OLU component. These onboard logic units connect vehicles to the
cloud for smart functioning. The leak posed security threats and danger of
network attacks after the software vulnerabilities were identified.

Mercedes Benz cars operate on combined mechanical and computer systems with
sensors and devices that make GPS and external location mapping possible
due to smart technologies and applications. However, software engineer Till
Kottmann from Switzerland four an incorrect configuration on Daimler’s code
hosting portal which allowed him to download data related to OLU that
controls real-time vehicle data that allow the third-party apps to track
the internal state of the vehicle and lock it in case it's stolen.

Volkwagen data breach

Last week, German automobile maker Volkswagen admitted in a letter that
nearly 3.3 million Volkswagen and its luxury car subsidiary Audi customers
had suffered a data breach for more than two years. The carmaker reportedly
revealed that the personal data of millions of  Americans and Canadians had
been accessible online which included confidential information such as
their phone numbers, email addresses, postal mailing addresses, vehicle
identification numbers, and drivers’ license number. The corporation,
however, blamed an external firm for the colossal breach stating that this
‘unnamed’ firm had extracted the data “for marketing purposes” and had
eventually abandoned it on an unsecured server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210625/a90dabd7/attachment.html>