Content, Breach

Mercedes-Benz Hit by Third-party Data Breach


Automobile maker Mercedes-Benz USA said a data breach in its supply chain had exposed personal information of roughly 1.6 million of its actual and potential customers.

The incident, which the company said it learned about on June 11, 2021 from a vendor that had “inadvertently” left sensitive information accessible on a cloud platform, ultimately concerned the data of less than 1,000 people whose drivers’ license numbers, social security numbers, bank card information and birth dates were exposed.

Customers who provided their personal information to Mercedes-Benz and dealer websites between 2014 and 2017 were at risk. To view the information left unguarded a hacker would have to possess special software and tools, officials said. No Mercedes-Benz system was compromised as a result of the event and so far, there’s no concrete evidence that any Mercedes-Benz files were maliciously misused.

The car maker, which said the third-party vendor had confirmed it stanched the leak, did not mention if it had hired a cybersecurity consulting firm or MSSP to assist with its forensics investigation. “Our vendor confirmed that the issue is corrected and that such an event cannot be replicated,” the car maker said. “We will continue our investigation to ensure that this situation is properly addressed.” Individuals whose additional information was accessible online have been notified of the breach incident.

Mercedes-Benz said it will provide free credit monitoring and identity theft protection to the affected individuals for two years and will notify the appropriate government agencies.

Of note, Volkswagen recently disclosed that it had incurred a similarly timed supply chain breach in which more than three million records of actual and potential Audi customers had been exposed on a third-party vendor’s database. Some of the stolen data subsequently showed up on the dark web marked for sale, reports said.

At the Black Hat 2020 security conference, security researchers at the Sky-Go Team, the car hacking unit at Qihoo 360, uncovered nearly 20 vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine, a Tech Crunch report said.

The flaws, which were later fixed, could have affected as many as two million Mercedes-Benz internet connected cars in China, the researchers said. “Making every back-end component secure all the time is hard,” the researchers said at the time. “No company can make this perfect.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.