Unprotected database containing 10 million U.S. vehicle owners’ personal details leaked

Approximately 10 million U.S. vehicle owners’ personal data was left exposed after a massive database containing their information was leaked.

Security researchers from Kromtech Security found the unprotected database split into three main sections which is thought to contain ‘critical and sensitive information’. The first section includes names, addresses, home and work numbers, dates of birth, gender and the number of children over 12 years old.

This information is thought to have been extracted from numerous U.S. based car dealerships.

Kromtech’s security researchers also found that the unprotected database contained the history of vehicles owned, Vehicle Identification Number (VIN), model, model year, sales representative name and mileage. This information was held on the second section of the database.

To add to the information leaked, the third section of the database contained sales details including vehicles’ mileage odometer, what method of payment the vehicle was paid by, monthly payment amounts and ‘much more’…

The leaked data includes VINs of 16,522 Jeep Wranglers. The data, in combination with other leaked data on the unprotected database, could allow cyber-criminals to do a lot of damage.

Kromtech Security’s discovery

In his report, Kromtech’s researcher Bob Diachenko noted:

“…sophisticated criminals have now created a way to combine traditional offline crimes like stealing cars and technology. Criminals are now using leaked or hacked data to obtain unique identifiers for a vehicle and then ‘cloning’ a VIN to make a stolen car appear to be perfectly legal.”

Mr Diachenko’s analysis shows the sheer importance in protecting online data as this could cause an unprecedented rise in crimes such as stealing and/or cloning cars.

It’s evident that this technique is frequently used by car thieves. Some may question the viability in doing so, but thieves can use some forgery to get the real title or other ownership documents from the motor vehicle office in the neighbouring state. If the thieves can register the vehicle (albeit, fraudulently) and it’s not reported as stolen, there can be very little chance that the vehicle can be traced back to the theft.

Mr Diachenko gives one example of this type of hack where 150 Jeep Wranglers were stolen. He said that the car thieves “used stolen VIN numbers to steal the cars. Using a compromised database of VINs for Jeep Wranglers, these bikers were able to create duplicate keys to gain access to the Jeeps they targeted.”

With approximately 10 million vehicle owners’ details exposed on the unprotected database, car thieves may be leeching onto the information to perpetrate crimes by acquiring vehicles illegally.

It’s also believed that the data was acquired for marketing purposes.

Though Mr Diachenko reassures vehicle owners that the unprotected database didn’t include owners’ card/payment data, there’s still a risk that those who had access to the database could still undertake identity fraud with the amount of personal data that was exposed.

Strict warning

The leaked data was online for just under five months – this could’ve caused a lot of damage and undue stress towards vehicle owners. This leak should be a strict warning to dealerships not only to fulfil their legal obligation to protect their customers’ data but also to protect details of what types of cars they sell.

Work-assigned mobile devices are increasing cyber security risks for organisations

Members of Parliament and Peers fall victim to brute force hacking attack