Stellantis, the parent of Citroën, FIAT, Jeep, Chrysler, and Peugeot, has confirmed a data breach affecting customers in North America.
The company said on Sunday it detected unauthorized access through a third-party service provider that supports its customer service operations. Stellantis did not disclose how many people were affected.
The compromised data included customer names, addresses, phone numbers, and email addresses. Stellantis stressed that no financial details or other sensitive personal information were exposed.
“Upon discovery, we immediately activated our incident response protocols … and are directly informing affected customers,” the company told Reuters. Federal authorities have been notified.
Stellantis urged customers to stay alert for phishing attempts, warning them not to click suspicious links or share personal information in response to unexpected or urgent requests.
A Pattern in the Industry
The incident isn’t the first in this industry. Jaguar Land Rover was forced to halt UK factory operations earlier this month after a cyber incident.
The breach is part of a broader trend. Large organizations are becoming prime targets as they rely more on third-party vendors and complex digital systems.
Every partner with access to customer data can be a weak point. In recent months, we’ve seen attacks against leading brands including Marks & Spencer, The Co-op, Adidas, Christian Dior, and many more.
Global companies face a rising tide of cyber and ransomware attacks. Sophisticated threat actors are disrupting operations and stealing sensitive data across industries, from healthcare and finance to retail and regulators.
A Blind Spot
Anders Askasen, Director of Product at Radiant Logic, says cyber incidents tied to third-party providers are unfortunately a blind spot that could cause CISOs to have sleepless nights. They also highlight the fact that identity security doesn’t stop at the perimeter.
“Attackers can weaponize leaked and compromised identity data for phishing and social engineering attacks that open the door to larger breaches,” Askasen adds. “The automotive industry has a norm of a sprawling ecosystem of suppliers and contractors and not having the unified visibility and control creates systemic exposure.”
He says global initiatives such as the EU’s NIS2 Directive put a sharp focus on third-party and supply chain risk, making continuous monitoring of identity security posture a compliance requirement. “Meeting this standard demands a data-centric approach that unifies identity intelligence across suppliers and contractors, giving enterprises the observability to detect, contain, and minimize risk. Organizations that apply the same rigor to third-party identities as they do internal ones will be far better prepared to withstand inevitable attacks.”
The Common Thread
Javvad Malik, Lead CISO Advisor at KnowBe4, comments: “The common thread in most of these recent attacks across various industries is the fact that supply chains are often compromised to gain access to systems.
Criminals often target a smaller partner with weaker defences with social engineering being a common tactic. This includes convincing emails, messages, or calls, which can be powered by AI and deepfake technology to trick people into sharing access or approving actions they shouldn’t.
“The approach to be taken is full human risk management which includes the use of technology and clear training, simple processes, and easy ways for people to ask for help so they can make safer choices in the moment,” he adds.
“Incident response must cover more than the technical fix. It includes the need to communicate quickly and clearly with customers and stakeholders about what happened, what it means for them, and exactly what steps they should take.”
A Proactive, Layered Approach
Jamie Akhtar, CEO and Co-founder at CyberSmart add that this news follows similar recent data breaches and shows that these kinds of attacks aren’t going anywhere. “It seems that unauthorized access was gained through a third-party provider. Although Stellantis haven’t disclosed how many customers are involved, it has been confirmed that the compromised data includes customer names, addresses, phone numbers and emails.”
Organizations can stay safe going forward by adopting a proactive, layered security approach that goes beyond compliance, Akhtar says. “This means implementing robust access controls, strong data encryption, and multi-factor authentication to protect sensitive information. Regular employee training helps reduce human error and phishing risks, while continuous monitoring, logging, and threat detection of their own systems and third-party systems enable faster response to suspicious activity.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.