Technology has made the sharing economy era flourish. In this era, services and products have become much more accessible and within reach, making even vehicles simpler to attain. Now, with just an app, people can easily rent a car anytime, anywhere. However, this comes with added risks. A recent data breach incident that left thousands of customer data exposed from a car rental service in Taiwan highlights such concerns.
The immediate benefits of an app-powered car rental service are readily apparent. For one, not only does this service save a person from the maintenance and parking costs of driving their own car, it also allows them to try different types of cars for different driving experiences with ease. Like many services in this era, however, the prerequisite of enjoying convenience is to share personal data. An individual might be asked to provide ID and credit card numbers, a copy of their driver’s license, and their e-signature when registering for a car-sharing service. Unfortunately, giving up such information means opening oneself to the risk of data breach, theft, and the possibility of becoming a potential target of fraud rings as a result of operational negligence or security gaps.
The Consequences of Stolen Data
Gaining access to someone else’s personally identifiable information (PII) is the key entry point for thieves to be able to commit fraud. With stolen PII, a thief can open bank accounts, withdraw cash, and even apply for credit cards or loans. Such crimes not only lead to financial losses but also reflect on a victim's credit rating with little chance of regaining their previous credit reputation. After all, banks have been known to deny fraud victims compensation since from their perspective, the thief had successfully given all the necessary identification and requirements to make such transactions under a victim’s name.
Today, identity theft is one of the most common examples of a cyberattack, and theft of an individual’s PII only increases their likelihood of falling victim to fraud. In some cases, cybercriminals conducted data theft through surprisingly simple means. The recent incident in Taiwan disclosed by security researcher Anurag Sen is a perfect example of this. In this case, Anurag Sen found that as long as someone knows the IP address of the car-sharing service’s database, they would be able to access it because the database is not password-protected. Although the service provider confirmed that it had already blocked outside connections to the IP address, its customers' personal data is presumed to have already been exposed from as early as May 2022.
Data Breaches and the Automotive Industry
For the automotive industry, this is not the first and only incident of data exposure. In VicOne’s 2022 automotive cybersecurity report, we observed that data breaches are the second most common type of incident faced by the automotive industry, just behind ransomware. According to VicOne's records, there were about 30 data breach incidents in the last two years alone. Among those affected are well-known companies such as Toyota, Ford, NIO, Volkswagen, and General Motors. The list goes on to include not just OEMs but also suppliers and dealerships. For example, in December 2022, Arnold Clark, said to be one of the largest independent car retailers, notified customers that their personal information had been stolen in a campaign claimed by Play ransomware operators. The stolen data included customers’ ID documents (such as passports and driver's licenses), national insurance numbers, and bank account details.
What insights can we gain from these incidents? To safely reap the benefits of today’s technologies and the current sharing economy in the automotive sector, one should not only be aware but also vigilant of the risks that come with these conveniences. Thankfully, the automotive sector is making more stringent actions against cyberattacks and has begun taking a more proactive approach to threats. Meanwhile, users can take steps to take charge of their own data. Applying security best practices can help limit the consequences of data breaches by making it harder for cybercriminals to enter accounts and minimizing the extent of data exposure should a breach occur.
The following are some steps users can take:
- Use strong passwords for all online accounts, such as for subscriptions, online banking, and social media. Good password management practices minimize the risk of unwanted access in a potential data breach.
- Use multifactor authentication (MFA) as an extra layer of protection against unwanted access to online accounts.
- Regularly monitor for unauthorized access to any account and report unusual activity to authorities as soon as possible to stop potential breaches from leading to further damage or losses.
- Be wary of different social engineering tactics used by cybercriminals for stealing online credentials.
- Trace data specific to your personal information by listing all the websites, apps, subscriptions, and services that require your information.
- Practice data minimization by limiting the amount and kind of data or information that you provide, especially for public online spaces.
It is safer to assume that more and more attackers will purposefully steal PII as this type of data becomes more integrated in the automotive ecosystem. In order to better ensure the safety of one’s data, users should always consider whether a company has solid cybersecurity protection and strategies in place, demonstrating that they value their customer’s privacy and security.
Learn more about our cybersecurity solutions for the automotive industry by visiting our homepage.