1.6 million individuals have been exposed. 1,000 individuals have highly sensitive information leaked.
SAN RAFAEL, CALIFORNIA – On June 11th, one of Mercedes‘ vendors informed the German-based auto manufacturer that a cloud storage security vulnerability had exposed personal information of 1.6 million individuals. Last week, Mercedes revealed the results of their internal investigation into the breach. Of the 1.6 million records exposed, around 1,000 contained extremely revealing information.
How did this happen?
This is a textbook example of a third party data breach. One of Mercedes’ vendors (who has remained unnamed to this point) was responsible for storing customer information on behalf of the organization. According to the company, the breach affects individuals who had entered sensitive information on Mercedez-Benz and dealer websites between 2014 and 2017.
From Mercedes… “No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.” But just because Mercedes was not directly responsible for the hack, they are still liable, and will offer two years of credit monitoring to individuals who were exposed. The company says it is also notifying the government agencies.
For a smaller number of people – which Mercedes-Benz says is less than 1,000 – more sensitive data was exposed, including:
- self-reported credit scores
- driver’s license numbers
- Social Security numbers
- credit card numbers
Why target Mercedes?
When cyber criminals successfully execute breaches, their goal is to re-sell the stolen data on the Dark Web. Hacking a luxury company like Mercedes is especially lucrative, because its customer have more to lose financially.
Armed with a wealthy individual’s SSN and other crucial information, fraudsters can execute a plethora of scams, including opening new lines of credit, accessing that individual’s bank accounts, and even extortion.
Any relation to the Volkswagen hack?
This breach is eerily similar to the Audi/Volkswagen breach which was revealed in mid-June. That was also a third party breach, attributed to one of the company’s marketing vendors who has also remained unnamed.
Around 90,000 people had their data leaked in that attack, but it is unclear if it was executed by the same cyber criminals behind the Mercedes attack.
How does Evolve defend policyholders?
Prevention is always the best defense, so it is crucial to monitor for data exfiltration. Data exfiltration is when the bad guys steal information from your servers or machines. Evolve partner BlackFog is the only on-device data exfiltration solution on the market, and we cannot stress its importance highly enough. All Evolve policyholders receive a free 7-day trial, and a meeting with BlackFog’s VP of Threat Intelligence to review threats to your organization.
Another key is to monitor the Dark Web for stolen information. Services like Skurio scan the Dark Web 24/7, looking for stolen credentials tied to your organization. If someone in your organization has their credentials leaked, you will be notified.