Mercedes Benz has released details of a data breach affecting customers and prospective buyers in the US.
The luxury carmaker said a vendor had informed the company on June 11 that the information was “inadvertently made accessible on a cloud storage platform.” It appears that a third-party security researcher first raised the alarm.
Although the initial investigation was set to discover whether 1.6 million unique records had been exposed, subsequent findings indicated far fewer customers and interested buyers were affected.
“The vendor reports that the personal information for these individuals (less than 1,000) is comprised mainly of self-reported credit scores as well as a very small number of driver’s license numbers, social security numbers, credit card information and dates of birth,” the statement noted.
“To view the information, one would need knowledge of special software programs and tools — an internet search would not return any information contained in these files.”
These individuals entered the information in question on dealer and Mercedes-Benz websites between January 1, 2014, and June 19, 2017.
Mercedes Benz USA confirmed that none of its systems were compromised in the incident and said the issue had been mitigated by the security vendor and can’t happen again.
Although it’s unlikely that threat actors managed to locate and access the information, it’s unclear how long it had been exposed for.
Mercedes-Benz USA has begun notifying those affected and said that anyone who had credit card information, driver’s license or social security numbers exposed will be offered a free 24-month subscription to a credit monitoring service.
Tom Garrubba, CISO at risk management firm Shared Assessments, welcomed the carmaker’s prompt action.
“With all the cyber-incidents that have been reported recently, it is refreshing to see that swift action taken by Mercedes Benz USA in addressing the incident with their cloud service provider and ultimately, with their customers,” he added.
“The reported breach of 1000 existing and prospective customers via their cloud storage vendor’s platform should raise awareness of the importance of proper due diligence and understanding as to how your cloud service providers are protecting your data.”