Mercedes-Benz USA Says 1.6 Million Records ExposedNotification Comes Shortly After a Similar Disclosure by Volkswagen
Mercedes-Benz USA says one of its vendors exposed 1.6 million records that pertained to its customers and interested buyers.
Most of the exposed records contained names, addresses, email addresses, phone numbers and possibly information about purchased vehicles. The data was collected on dealer and Mercedes-Benz websites between Jan. 1, 2014, and June 19, 2017, according to a news release.
For a smaller number of people - which Mercedes-Benz says is less than 1,000 - more sensitive data was exposed, including self-reported credit scores, driver's license numbers, Social Security numbers, credit card information and birthdates.
Mercedes-Benz says it will offer two years of credit monitoring to those whose driver's license numbers, credit card information or Social Security numbers were exposed. The company says it is also notifying the "appropriate government agencies."
Mercedes-Benz officials couldn't immediately be reached for comment on Monday.
Breach Involved 'Cloud Storage Platform'
Mercedes-Benz didn't identify the vendor responsible for the exposure and didn't say how long the data had been exposed.
"Our vendor confirmed that the issue is corrected and that such an event cannot be replicated," the company says. "We will continue our investigation to ensure that this situation is properly addressed."
The vendor notified Mercedes-Benz on June 11. The exposure, which occurred on a cloud storage platform, was discovered by an external security researcher, Mercedes-Benz says.
The company indicated the data wouldn't be easy for an average internet user to find.
"To view the information, one would need knowledge of special software programs and tools - an internet search would not return any information contained in these files," Mercedes-Benz says.
It's possible the vendor misconfigured a database or storage platform. For example, security researchers frequently come across unsecured Amazon S3 storage buckets or deployments of Elasticsearch, which is an open-source platform for storing and querying data. Those mistakes can be found using specialized search engines such as Shodan and Censys.
Related to Volkswagen?
Mercedes-Benz's incident is similar to one disclosed in mid-June by Volkswagen and its Audi subsidiary (see: Volkswagen, Audi Notify 3.3 Million of Data Breach). But it's not clear if they’re related.
Volkswagen said that 3.3 million people in the U.S. were affected after a breach of one of its marketing services suppliers, which it did not name. The exposure affected customers and potential customers, with information including names, mailing addresses, email addresses and phone numbers.
Around 90,000 people in the U.S. saw other data leaked, which may have included driver's license numbers, birthdates, Social Security numbers or account, loan or tax identification numbers.
Volkswagen said it was alerted to the data exposure on March 10, 2021, and discovered the source of it by May. The data was left unsecured by its vendor sometime between August 2019 and May 2021, it said.