In a significant blow to data privacy, BMW has reported a major data breach affecting approximately 14,000 customers in Hong Kong. The BMW data breach first flagged to the Office of the Privacy Commissioner for Personal Data on July 18, 2024, has raised serious concerns among affected individuals and sparked an investigation by local privacy authorities.
On Thursday, BMW Concessionaires (HK), the exclusive distributor of BMW vehicles in Hong Kong, revealed that sensitive information belonging to around 14,000 of its customers had been exposed. This includes names, mobile numbers, and SMS opt-out preferences, reported South China Morning Post. The company disclosed that the compromised data was managed by a third-party contractor, Sanuker, which had alerted both the police and the privacy watchdog about the BMW data leak.
Details of the BMW Data Breach
Michael Gazeley, a cybersecurity expert and BMW iX electric vehicle owner, expressed his frustration over the handling of the situation. Gazeley criticized BMW for its lack of direct communication with affected customers, noting that the company had only posted a brief notice on its website. “It’s a pretty serious breach where a lot of confidential data has gone,” Gazeley remarked. “There could be all sorts of consequences for fraud and scams based on the customer information.”
The Office of the Privacy Commissioner for Personal Data is currently investigating the incident. While the investigation is ongoing, the watchdog has not yet received any formal complaints or inquiries related to the breach. The agency had advised BMW to inform affected individuals promptly, but there has been significant public dissatisfaction with the company’s response.
In addition to the recent breach, there has been a concerning history of BMW cyberattacks and data breaches. Earlier in February 2024, a separate security lapse exposed sensitive internal information. This incident involved a misconfigured cloud storage server hosted on Microsoft Azure. Security researcher Can Yoleri discovered the exposed data while scanning the internet, revealing private keys and internal data files from BMW’s development environment.
Previous Data Breaches at BMW
Yoleri highlighted that the misconfiguration of the cloud storage bucket made it publicly accessible instead of private. The exposed data included access credentials for BMW’s cloud services in multiple regions, including China, Europe, and the United States. The exact duration of the exposure remains unclear, leaving a significant gap in understanding the full extent of the breach.
Adding to the alarm, the hacker group known as 888 claimed responsibility for the data leak. According to reports on BreachForums, a notorious hacking forum, 888 made the stolen data publicly available on July 15, 2024. This data dump included detailed personal information such as salutations, surnames, first names, mobile numbers, and SMS opt-out preferences of BMW customers in Hong Kong.
In response to the latest data breach, BMW has stated that it is taking the privacy of its customers very seriously. The company has committed to enhancing its data security measures to prevent future incidents. BMW has also emphasized its ongoing efforts to bolster the security of its systems and protect customer data from unauthorized access.
