Mercedes-Benz Customer Data Gets Exposed!

Mercedes-Benz Customer Data Gets Exposed!

For over 3 years, a Merc. vendor was ‘recklessly driving’ the cloud-stored data of luxury-car-owning customers & prospective buyers.

The luxury of Mercedes-Benz cars: The high-end upholstery, plush carpeting, polished wood trim, LED mood lighting. “Even the scent signals that this vehicle is special,” as the automaker says.

Even a company like Mercedes-Benz can inadvertently leak out customer data. That’s what the automaker admitted last Thurs., when Mercedes-Benz USA disclosed that one of its vendors has leaked customer information out of its cloud storage system.

Slow Data Skid

The situation is cloudy, but one thing seems certain: This issue was prolonged, as in, the data was exposed for over 3 years. The company – which is the American subsidiary of the German automotive brand Daimler AG – said in its notice that the information was entered by customers & interested buyers on dealer & Mercedes-Benz websites between Jan. 1, 2014 & June 19, 2017.

The company credited an ‘unnamed’ external security researcher for giving it the heads-up.

Mercedes-Benz did not say when it was first made aware of the data exposure, why it took 4 years to come to light, what happened in 2017 to cause the leak to plug up, nor what brought about the eventual discovery – whenever that happened.

Due Diligence

Tom Garrubba, CISO at the 3rd-party risk-management firm Shared Assessments, t explained that he sees the situation in 2 parts: “1st, a lack of proper security around the data containers at the cloud service provider, & 2nd, lack of proper due diligence from Mercedes-Benz in asking questions & performing such due diligence in understanding how they are securing their data (network, systems, etc.).”

So far, there has been no evidence of the company’s systems having been interfered with, or that customer records were misused, states the advisory: “No Mercedes-Benz system was compromised as a result of this incident, & at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.”

US Social-Security Numbers

However, for whatever reason, the vendor was apparently collecting US Social-Security numbers, dates of birth & other highly sensitive information from customers. Mercedes-Benz said that data relating to less than 1,000 Mercedes-Benz customers & interested buyers were accidently exposed, & that the dataset consisted “mainly of self-reported credit scores.”

There were also “a very small number” of records that included:

  • Driver-license numbers
  • US Social-Security numbers
  • Credit-card information
  • Dates of birth

Take Out Loans

Acquiring sensitive data like Social-Security numbers & driver’s-license numbers can allow bad actors to take out loans, intercept tax refunds or open new bank accounts posing as the victim, pointed out Anurag Kahol, CTO & Co-Founder of Bitglass. To properly protect customer data, “companies must have complete visibility & control over all data across the IT ecosystem – including data stored in the cloud,” he observed last on Fri.

Mercedes-Benz noted that in order to view the information, somebody would need “knowledge of special software programs & tools,” given that “an internet search would not return any information contained in these files.”

Ransomware

Mercedes-Benz refrained from giving a list of the programs & tools a threat player would need to decode its vendor’s files, but that’s little comfort: Sophisticated threat players are good at using whatever it takes to help them tap into lucrative files. “Sophisticated” is a term that’s increasingly linked to cyber-crooks, whether they’re in the ransomware field, setting up pandemic-themed scams or improving their business email compromise (BEC) tactics.

Shared Assessment’s Garrubba explained that while the “special tools” argument is no comfort, there is a good chance that no – at least, no-one with sophisticated hacker know-how – found these records.

Vulnerability

“Threat actors certainly are aware of such tools, but it comes down to if any threat actor would be aware of such vulnerability & at this particular cloud service provider,” he noted.

“The threat actor would have to be familiar with the provider’s network & know where to go to find the container that was holding Mercedes-Benz’ data.”

Investigation

Mercedes-Benz launched an investigation to assess the accessibility of around 1.6m unique records, the “vast majority” of which included information such as name, address, emails, phone numbers & some purchased-vehicle information.

The company has already begun to contact the fewer than 1,000 people whose additional personal information was made publicly accessible. It is offering 2 years of free credit monitoring to those whose credit-card information, driver’s-license number or US Social-Security number was included in the exposed data.

Less than 1,000 Records

Some security experts were a bit concerned that the “less than 1,000 records” claim will hold up, given that those records have been out there so long. James McQuiggan, Security Awareness Advocate at KnowBe4, noted that “for an exposed database of over 3 years, it is concerning that only less than a 1,000 records were disclosed. With the length of the exposed data, it would seem based on previous attacks, that 1,000s of records would have been exposed.”

Financially speaking, Mercedes-Benz owners are no beginners, he observed, & their data is highly desirable.

Higher Value

“Cyber-criminals will consider this data at a higher value because most customers of Mercedes-Benz are people who have a solid financial position, possibly more than the typical victim,” he surmised.

“This position can only increase the value of the data for sale on the Dark Web. The cyber-criminals can hope to extort money from the victims by leveraging the stolen information & will claim to delete it if paid. Additionally, they can craft very targeted emails to trick victims & access their systems or data for further exploitation.”

Misconfigured Cloud Storage

Unfortunately, cloud storage configuration is the roadkill of the current age. In March, arts-&-crafts retailer Hobby Lobby left 138Gb of sensitive information open to the public internet, thanks to a cloud-bucket misconfiguration.

Cloud misconfigurations are a common threat issue for organisations of all sizes. E.g., an analysis last Autumn found that 6% of all Google Cloud buckets are misconfigured, left open to the public internet for anyone to rifle through their contents.

Identifiable Information

Bitglass’ Kahol observed that it is far too easy for companies to overlook security issues that leave data exposed for long periods of time, such as with the Mercedes-Benz incident. “In this case, customers’ personally identifiable information (PII) was exposed & possibly accessible by threat actors for over 3 years,” he noted.

He stated that in organisations that are responsible for highly sensitive PII, there’s “no margin for error.”

“They must leverage multi-faceted & robust cyber-security platforms that include cloud security posture management (CSPM), data loss prevention (DLP), multi-factor authentication (MFA), & user & entity behaviour analytics (UEBA),” he continued.

“Secure access service edge (SASE) platforms deliver end-to-end protection for data in sanctioned cloud resources & are essential in any zero-trust framework. With a comprehensive solution that proactively monitors for threats & risks, organizations can defend customer data in real time.”

https://www.cybernewsgroup.co.uk/virtual-conference-july-2021/

 

SHARE ARTICLE