Mercedes Benz Leaks Customers’ Social Security Numbers and Other Personal Data in a Breach

 Luxury car brand Mercedes Benz just released a public announcement notifying customers of a data breach which included driver’s license details, dates of birth, social security numbers, and payment card details.

What Happened?

The notification mentions that on June 11, 2021, a vendor of Mercedes Benz notified them that information on customers and interested buyers stored in a cloud service was accidentally exposed and potentially accessed by an unauthorized party. The matter came to light when a cybersecurity researcher discovered the information and notified Mercedes Benz.

The carmaker reassured customers by saying, “It is our understanding the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between January 1, 2014, and June 19, 2017. No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.”

“The vendor reports that the personal information for these individuals (less than 1,000) is comprised mainly of self-reported credit scores as well as a very small number of driver license numbers, social security numbers, credit card information, and dates of birth. To view the information, one would need knowledge of special software programs and tools - an Internet search would not return any information contained in these files,” the company further explained.

How Did Mercedes Benz Handle the Situation?

The original stash of information contained more than 1.6 million records; however, the investigation revealed that only around 1,000 had personally identifiable information (PII) that hackers could use for identity theft and fraud.

Mercedes Benz’s vendor assured the carmaker that the issue has been fixed and cannot reoccur. Although there is no evidence indicating that any unauthorized person accessed or copied the information, it is unclear how long it was exposed.

The company has been notifying customers in writing and is offering 24 months of credit monitoring services to those affected customers and interested buyers.

InfoSecurity Magazine spoke with Tom Garrubba, CISO at risk management firm  Shared Assessments who commented that “With all the cyber-incidents that have been reported recently, it is refreshing to see that swift action taken by Mercedes Benz USA in addressing the incident with their cloud service provider and ultimately, with their customers,” he added.

“The reported breach of 1000 existing and prospective customers via their cloud storage vendor’s platform should raise awareness of the importance of proper due diligence and understanding as to how your cloud service providers are protecting your data.”

What to Do After a Data Breach

Following a data breach, customers are typically notified by the company responsible for leaking the information. If your information was exposed in a data breach, it is critical to take swift action to protect yourself against identity theft and fraud. Some tips for doing so are:

• Change all your current passwords.
• Never use the same passwords on multiple websites.
• Do not click links or download attachments in emails. Often, after a data breach, cybercriminals use phishing emails to try and steal additional information.
• Review all monthly credit card and bank statements looking for unauthorized transactions.
• Get a copy of your credit report.
• Sign up for credit and identity theft protection. 
• Be careful of any unsolicited calls where people ask you for information.
• Keep strong antivirus software on all your devices and run deep scans often. Once hackers have your email address and other data, they may target you.
• Use common sense, and if something sounds too good to be true, it probably is, walk away.