Contents:
The famous BMW luxury cars brand unproperly secured its system and exposed extremely sensitive files to the public. Threat actors had enough time to exploit the data to steal source code and even get BMW customer data.
How Were Clients` Data and the Website`S Source Code Put at Risk
In February, researchers discovered that an unprotected environment (.env) and .git configuration files were hosted on the official BMW Italy site. This could enable malicious actors to find out information about the system and access the customer database.
The discovery illustrates that even well-known and trusted brands can have severely insecure configurations, allowing attackers to breach their systems in order to steal customer information or move laterally through the network. Customer information from such sources is especially valuable for cybercriminals, given that customers of luxury car brands often have more savings that could potentially be stolen.
What Customer Info Does BMW Store?
BMW Italy’s website collects a variety of user data, like name, home and email address, and phone numbers. These alone could be enough for a threat group to use in a phishing campaign.
But BMW also knows:
- what car do you have and all the technical info about it
- phone location. If you have BMW or Mini apps installed and connected, a hacker could know if you are in the car or far away.
- how much did it cost and other contract details.
- your online account’s data
Technically, all this information is protected, but you should still check weird-looking emails and keep an eye on your banking data.
What Should BMW Do to Protect Their Data
According to researchers, BMW should enforce a series of security best practices:
- Reset the GitLab CI token. Otherwise, hackers could clone the .git repository and exploit other vulnerabilities.
- Change MySQL and PostgreSQL database credentials.
- They should also change ports and IP of the host, as a measure to prevent data leakage.
- Change the ports that administrative portals use to listen to incoming connections. Hackers might try to use port scanning to launch their attacks more effectively.
And if you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.