In recent communications to data regulators and customers, the US wing of German-owned car manufacturer Mercedes-Benz disclosed a large-scale data leak.

In a recent investigation undertaken by the company, 1.6 million individual customer data records were accessed. The files included a wealth of personally identifiable information (PII) on Mercedes-Benz’s USA customers and the analysis focused on the potential impact the breach may have had on its client base.

Data leak impact uncovered

The German luxury vehicle company confirmed that the breach had impacted both potential Mercedes-Benz buyers and existing customers. A vendor used by the company informed it that personal data belonging to select customers was compromised because of cloud storage measures that were secured insufficiently.

According to Mercedes-Benz, the leak affects individuals who have entered private information on the company and its dealers’ websites during the period from 2014 to 2017.

The German auto brand stated:

“It is our understanding the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between January 1, 2014, and June 19, 2017. No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.”

The press release also commented on the measures being taken following the incident:

“Data security is a serious matter for MBUSA. Our vendor confirmed that the issue is corrected and that such an event cannot be replicated. We will continue our investigation to ensure that this situation is properly addressed.”

Customer data exposed by the breach

The notification issued by the vendor to Mercedes-Benz listed the specific types of PII involved in the compromised records that were inadequately protected. Dates of birth, credit card numbers, social security numbers, driver licence numbers and personal customer credit scores were among the examples given.

The automaker commented that this private data was not so poorly secured that it could be indexed or searched using a conventional online search facility. It stated that to view the sensitive information, a person would need to possess an advanced understanding of specific tools and programs.

Following the review of close to 1.6 million different customer files that listed names, addresses, email, and phone numbers, as well as vehicle purchase information, Mercedes-Benz issued this statement. However, after completing its full investigation, it was required to revise the information when it realised that some of the data subjects had additional personal details disclosed due to the cloud storage weakness.

Mercedes-Benz USA has commented that it is currently involved in the process of informing the impacted individuals of the incident. No exact figure was given regarding how many data subjects had this additional personal content exposed, but the company stated that fewer than 1,000 of its customers were affected.

To support those whose credit card details, social security numbers and driver’s licence numbers were exposed, Mercedes-Benz is offering them a free credit monitoring service for two years as added protection from fraudsters. The company commented that it will also be notifying all government agencies of the data breach.