autoevolution
Car video reviews:
 

General Motors Hit by Cyberattack, User Data Including Home Addresses Exposed

General Motors is the latest car company to have suffered a cyberattack exposing customers’ data. Incidents have been detected throughout April, involving suspicious logins to certain GM online accounts and unauthorized redemptions of customer reward points for gift cards.
General Motors hit by cyberattack, user data including home addresses exposed 7 photos
Shell Pay & Save demonstrated in a Chevrolet TahoeGM's Downloadable Graphics Might Be the Coolest Feature for large displaysGM's Downloadable Graphics Might Be the Coolest Feature for large displaysOnStar Vehicle Insights now available for non-GM carsOnStar Vehicle Insights now available for non-GM carsOnStar Vehicle Insights now available for non-GM cars
General Motors believes it was the victim of a so-called credential stuffing attack. This means that the login data were obtained in a previous data breach on a different platform and used to attempt to log in to the GM account. When a user has the same credentials (user/password combination) to access various services, one data breach compromises all accounts using the same credentials. This signals the importance of using different login credentials for each platform.

Based on the investigation to date, there is no evidence that the login information was obtained from GM itself,” GM’s notice of data breach says. “We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

Although the attack happened in April, GM only notified its customers last week. The data breach allowed attackers to redeem customers’ reward points for gift cards. GM said it blocked access to this feature and notified its customers, requiring them to change their passwords. The reward points may not be the biggest problem, though.

According to GM’s notice of data breach, the cybercriminals also gained access to sensitive information. This includes first and last name, personal email address, personal address, username and phone number for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points.

General Motors says the breach has not exposed customers’ date of birth, Social Security number, driver’s license number, credit card, or bank account information. Nevertheless, the company required affected users to reset their passwords and strongly advised against reusing login credentials across multiple sites or platforms.

Cyberattacks have become common in the past years. While GM’s reported case seems relatively benign, Toyota was forced to suspend production in Japan after a cyberattack crippled all its factories two months ago. Volvo was also the victim of a cyberattack last December when its R&D data were stolen.

 
 
 
 
 

Would you like AUTOEVOLUTION to send you notifications?

You will only receive our top stories