Cloud Security, Patch/Configuration Management, Vulnerability Management

Mercedes-Benz cloud data exposure shines spotlight on third-party risk

Mercedes-Benz disclosed late last week that sensitive personal information of less than 1,000 Mercedes-Benz customers and interested buyers was made accessible on a cloud storage platform – an issue experts say security teams can prevent by working more closely with third-party providers to lock down cloud databases.

The Mercedes-Benz leak highlights an issue that security teams keep seeing time and again: Private data that’s accidentally left publicly accessible on a cloud storage platform by a vendor.

Cybercriminals can exploit such information for identity theft and blackmail, said Demi Ben-Ari, co-founder and chief technology officer of Panorays. While it’s a preventable situation, Ben-Ari said it requires companies to monitor how their third parties manage their data with cloud services.

“Companies should be sure to check whether their third parties’ cloud services have security enabled for cloud storage buckets,” Ben-Ari said. “Since companies can work with hundreds or even thousands of third parties, it’s necessary to use an automated solution that can accomplish this quickly and efficiently."

John Morgan, CEO at Confluera, said it's difficult to deploy security features from cloud infrastructure providers across multiple cloud environments with any level of consistency. Morgan said companies should look for third-party security solutions that are specifically designed for the cloud and address some of its unique challenges, including coverage across containers, Kubernetes, and multi-cloud environments.

“It’s also important to have a strong preventive and zero trust approach, and have an equally strong detection and response based assumption that you have already been attacked and the attackers are picking your environment apart at all times,” Morgan said.

A release said the vendor that informed Mercedes-Benz on June 11 of the data issue said the personal information for those affected consisted mainly of self-reported credit scores, as well as a very small number of driver’s license numbers, social security numbers, credit card information, and dates of birth.

The car company said the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between January 1, 2014 and June 19, 2017. No Mercedes-Benz system was compromised as a result of this incident, and there’s no evidence that any Mercedes-Benz files were maliciously misused.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.