Mercedes-Benz USA has disclosed a data breach within one of its vendors that leaked customers’ and potential buyers’ sensitive and personal information. According to the announcement, the information comes from customers who entered various personal details on Mercedes-Benz websites between Jan. 1, 2014, and June 19, 2017. Customers and potential customers from the affected time period may have had their driver’s license numbers, Social Security numbers, and credit card information leaked. Additionally, self-reported credit scores and dates of birth are all part of the data breach.
<p>Traditional customer databases present an enticing honeypot of Personally Identifiable Information (PII). According to the Verizon Data Breach Investigations Report (DBIR) over 80% of data breaches rely on exploiting lost or stolen credentials. Furthermore over 50% of such breaches originate from 3rd parties or contractors. Companies need to aggressively shift to a passwordless MFA paradigm using modern authenticators like phone as a token or FIDO2 security keys. These authentication methods create an un phishable relationship between the end user and the IT system thereby reducing the attack surface of vulnerable passwords and making the environment more resilient to such cyber incidents. Furthermore these methods offer better user satisfaction as they have less friction in use.</p>
<p>While it was reported by Mercedes-Benz that no MB system was directly compromised as a result of this incident, the reported breach of 1,000 existing and prospective customers via their cloud storage vendor’s platform should raise awareness of the importance of proper due diligence and understanding as to how your cloud service providers are protecting your data. I applaud the diligence and craft of the MB-hired security researcher in identifying this and bringing this to the attention of MB and ultimately to the CSP. With all the cyber incidents that have been reported recently it is refreshing to see that swift action taken by MB in addressing the incident with their CSP and ultimately, with their customers.</p>
<p style=\"font-weight: 400;\">Organizations not only need to be attentive to the way that they handle and process sensitive customer data, but they also need to make sure that their vendor and partner organizations with whom they share data treat sensitive information with the same care and diligence. As the Mercedes-Benz USA breach displays, vendors can utilize your enterprise data for a variety of reasons, but one mishap or misconfiguration of a cloud service can trigger an inadvertent incident, or worse. Then you bear the responsibility for mitigating and rectifying the situation.</p>
<p style=\"font-weight: 400;\">This is the reason that applying data-centric security to your collected customer data as soon as it enters your ecosystem has the best chance of securing that sensitive information for the long run. Tokenization obfuscates sensitive data elements, but enterprise applications such as data analytics can still work with and process protected data with no negative effects.</p>