Fewer than 1,000 individuals impacted by bungle

Mercedes-Benz USA admits customers' credit card details, driver's license numbers were accessible for 3.5 years

UPDATED Mercedes-Benz USA has reported a data breach in which some customers’ sensitive personal data was potentially accessible to malicious hackers for three and a half years.

A vendor alerted the carmaker to the incident, in which the data was “inadvertently made accessible on a cloud storage platform”, on June 11 after an external security researcher spotted the blunder, according to a press release published yesterday (June 24).

A subsequent investigation determined that fewer than 1,000 Mercedes-Benz customers and prospective buyers were affected.

Read more of the latest automotive security news and analysis

The data “is comprised mainly of self-reported credit scores as well as a very small number of driver license numbers, social security numbers, credit card information, and dates of birth”, said Mercedes-Benz USA.

“It is our understanding the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between January 1, 2014, and June 19, 2017.”

Special tools required

The automotive giant said the “vendor confirmed that the issue is corrected and that such an event cannot be replicated”.

It added: “No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.”

Mercedes-Benz USA also said that the data could only be accessed by someone with “knowledge of special software programs and tools”, adding that “an internet search would not return any information contained in these files”.

The ongoing investigation was initially launched to assess whether approximately 1.6 million unique records, primarily consisting of names, addresses, emails, phone numbers, and purchased vehicle information, were accessible.

However, it was later confirmed that only the 1,000 people were affected.

Mercedes-Benz USA said it has already begun notifying individuals and will notify relevant government agencies in due course.

Anyone whose credit card information, driver’s license number, or Social Security Number were potentially exposed will be offered complimentary 24-month subscription to a credit monitoring service, it added.

Asked about the nature of the third-party vendor that reported the breach, Mercedes-Benz USA told The Daily Swig that they manage “digital sales and marketing activities for MB customers and interested buyers”.

The company declined to comment further.

This article was updated on June 25 with comments from Mercedes-Benz USA.

RELATED West Virginia job seekers alerted to gov’t employment agency data breach