Mercedes-Benz Data Breach Sheds Light on the Importance of Third-Party Risks
The Mercedes-Benz Data Breach Brings the Issue of Private Data Accidentally Becoming Accessible Into the Spotlight.
The Mercedes-Benz data breach that recently took place exposed important information such as credit card information, social security numbers, and driver license numbers of almost 1,000 Mercedes-Benz customers and potential buyers.
Mercedes-Benz announced last week, after assessing 1.6 million customer records which included customer names, addresses, emails, phone numbers, and purchased vehicle information, that sensitive personal information belonging to almost 1,000 Mercedes-Benz customers and interested buyers was made accessible on a cloud storage platform.
The Mercedes-Benz data breach sheds light on an issue that security teams keep seeing constantly, which is that private data is accidentally left publicly accessible on a cloud storage platform by careless vendors.
This type of situation leaves room for cybercriminals to exploit this type of information for identity theft and blackmail.
Demi Ben-Ari believes that this could be a preventable situation, as it only requires companies to monitor how their third parties are managing their data with cloud services.
Companies should be sure to check whether their third parties’ cloud services have security enabled for cloud storage buckets. Since companies can work with hundreds or even thousands of third parties, it’s necessary to use an automated solution that can accomplish this quickly and efficiently.
According to John Morgan from Confluera, it can be difficult to deploy security features from cloud infrastructure providers across multiple cloud environments with any level of consistency, therefore the companies should look for third-party security solutions that are specifically designed for the cloud and address some of its unique challenges, including coverage across containers, Kubernetes, and multi-cloud environments.
It’s also important to have a strong preventive and zero-trust approach, and have an equally strong detection and the response-based assumption that you have already been attacked and the attackers are picking your environment apart at all times.
In a recent press release, it was communicated that the personal information for those affected consisted mainly of self-reported credit scores, as well as a very small number of drivers’ license numbers, social security numbers, credit card information, and also dates of birth.
Mercedes-Benz disclosed the fact that the leaked information was entered by customers and interested buyers sometime between January 1, 2014, and June 19, 2017, but no Mercedes-Benz system was compromised and there’s no evidence that any Mercedes-Benz files were maliciously misused.