One of VW’s vendors left 1 of its systems open for nearly 2 years, exposing the personal data of 3.3m customers – nearly all of them owners or prospective owners of the automaker’s luxury brand of Audis – Volkswagen America commented last week.
Almost all of the leaked data was for owners or prospective owners of the automaker’s luxury brand of Audis, now at greater risk for phishing, ransomware, or car theft.
Affected Customers
The breach took place between August 2019 & May 2021, VW said in a letter to the Maine, US Attorney General that was 1st spotted by Tech Crunch reporter Zack Whittaker.
The car maker explained that the data, mostly collected for sales & marketing, was exposed by a vendor used by Volkswagen, its Audi subsidiary & authorised dealers.
For upwards of 97% of the affected customers, the 3rd party got access to personal information about customers & prospective buyers, including names, postal & email addresses, & phone numbers.
Sensitive Data
Other buyers or prospective buyers got hit harder, since they had more sensitive data – including Social Security numbers, dates of birth & driver’s license numbers – stored on the vendor’s vulnerable server, as Volkswagen explained in its letter:
For over 97% of the individuals, the exposed information consists only of contact & vehicle information relating to Audi customers & interested buyers, including some or all of the following contact information: 1st & last name, personal or business mailing address, email address, or phone number.
Vehicle Identification Number
In some instances, the data also includes information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, colour, & trim packages.
For circa 90,000 Audi customers or interested buyers, the data also includes more sensitive information relating to eligibility for a purchase, loan, or lease. Nearly all of the more sensitive data (over 95%) consists of driver’s license numbers. A very small number of records include data such as dates of birth, Social Security or social insurance numbers, account, or loan numbers, & tax identification numbers.
2 Months to Secure that Server?
Volkswagen revealed that it first heard about the breach on Mar. 10. The company did not explain why the leak continued up until last month as the unnamed vendor took 2 months to secure its server. It is also not known whether the data was downloaded by unauthorised 3rd parties during the nearly 2 years it was left open online.
Any of Volkswagen’s customers or potential customers are at danger of fraud due to the breach. However, customers who drive Audis are also susceptible to having their cars ripped off: The 2021 Audi A4, for example, costs anywhere from $39,100 on up to $51,900 in the US
Audi RS4 Video
Luxury cars are protected by advanced anti-theft technology, but that technology can be beaten.
This video shows thieves breaking into an Audi RS4 in just 90 sec, by breaking the window & plugging a device — assumed to be a piece of equipment available online that is used to silence alarms & program blank key fobs — into the dashboard.
Advanced Gadgets
Cybercrooks do not have to use advanced gadgets to take profits from car drivers. Instead, they can opt for less complex & sophisticated attacks, such as phishing or ransomware. They’ve learned that the data that automotive companies have to offer – from customer & employee personal identifiable information (PII) to financial data – is invaluable.
An example was when an attacker installed a keystroke logger on the workstation of a car dealership’s finance specialist, to obtain their credentials & access customer credit reports. Another launched a ransomware attack on Toyota Australia, leading to delays in servicing and disruption in the supply of parts.
Undeserved Trust
Jupiter One CISO Sounil Yu noted that the breach points to a problem with supply chains: Namely, “We put too much trust in them,” he stated.
Yu pointed to President Biden’s recent Executive Order, pointing out that it’s heavy on the push to Zero Trust architecture, but that it’s “applied primarily to things, such as networks & endpoints.”
He suggested on Mon. that a Zero Trust approach be applied to suppliers as well, as opposed to the current practice of “sending vendors long questionnaires” & only occasionally asking for proof about their answers.
Security Activities
“We trust that those answers are correct & that the vendor is actually performing the security activities that they attested to,” he noted.
Dirk Schrader, Global VP at New Net Technologies, agreed: In an email on Mon., he called this breach “another cyber gaffe in the 3rd-party supply chain.”
Unfortunately, while specialisation is one of the main reasons for outsourcing to 3rd parties, that specialisation does not necessarily include cyber-security, he observed. “Whether this is due to lack of resources, of knowledge, financial incentive or because VW – being the reporting entity here – didn’t require certain standards & levels of protection in place is hard to say.”
Toxic Mixture
Likely, it is “a toxic mixture of everything,” Schrader suggested. “For the 3rd party, one lesson learned is an old one, ‘you’re never too benign, too small, too unknown’, attackers will find you,” he emphasised.
The fact that it took the vendor & VW such a long time to detect the breach is “telling” when it comes to lack of capabilities,” he outlined.
Schrader concluded: “VW, being a German company, is also a member of the VDA (the German Association of the Automotive Industry). VDA has cyber security requirements in place for 3rd parties in this sector, addressing capabilities required.”
https://www.cybernewsgroup.co.uk/virtual-conference-june-2021/