The LockBit 3.0 ransomware gang has claimed responsibility for an attack against car seller Eagers Automotive, raising concerns about the potential of having stolen the data of millions of customers.
Eagers Automotive is the largest car and truck retailer in Australia and New Zealand, operating 300 selling points for various major car brands, and commanding a 12% share of new vehicle sales in the mentioned markets. Its business includes selling new and used vehicles, maintenance and repair services, parts, extended service contracts, vehicle brokerage, protection products, and other aftermarket products. The company operates a massive network of vehicle dealerships, employs 8,500 people, and achieved net sales of AUD 4.1 billion this year.
The firm first notified the public on Wednesday about a cyberattack, forcing it to halt trading, which indicated a substantial impact. The next day, an update came in the form of a media statement, informing that the incident had caused an extensive IT systems outage, impacting business in some locations across Australia and New Zealand.
Yesterday, Eagers Automotive released yet another update on the situation, apologizing to customers for the inconvenience the disruption in its various business units has caused. Specifically, the car dealership network operator stated an inability to finalize transactions on new vehicle purchases for which the sale had been finalized and was pending delivery to the clients. Understandably, this must have caused incredible frustration to impacted clients eagerly waiting to receive their new cars.
Despite the multiple announcements and assurances about the professional way the case is handled within the company, Eagers Automotive has still not disclosed the type of cyberattack, nor has it determined if customer data have been exposed due to this incident.
“A primary focus of the investigation is to understand whether any personal information has been impacted,” reads the latest update.
“This remains under close review. Should our investigations reveal any unauthorized access to personal information, the company will notify affected individuals in accordance to our obligations.”
Today, LockBit 3.0, a notorious and highly active ransomware-as-a-service platform known for numerous breaches on high-profile organizations worldwide, has claimed responsibility for the attack on the Australian giant. The cybercriminals have given Eagers Automotive until January 19, 2024, to meet their demands, likely a multi-million ransom payment, or else they threaten to publish all stolen files.
If LockBit’s claims are valid, they could be holding various types of customer data, including names, addresses, contact details, vehicle purchase history, service and repair records, financial details related to vehicle financing or purchases, and possibly preferences or inquiries related to vehicle types, features, or services.
The above data would enable highly effective phishing, identity theft, financial fraud, and generic scam attacks.
If you are a former client of Eagers Automotive, you should treat your personal information as already compromised and act accordingly. This would entail being extra cautious with unsolicited communications and suspicious requests, especially those related to your car purchases.