According to a message sent to clientele on Monday, luxury car manufacturer Ferrari, based in Italy, has fallen victim to a ransomware attack that exposed certain personal data of its customers.
The company confirmed awareness of the breach after being contacted by hackers who demanded payment to prevent the disclosure of customer information. The compromised data includes names, addresses, email addresses, and phone numbers; however, more sensitive details such as payment data or vehicle specifications do not appear to have been part of the leaked information.
via Ferrari
Ferrari stated that it collaborated with a cybersecurity firm to verify the validity of the data. Additionally, the company opted not to pay the ransom because the customer information had already been exposed, and paying the demanded sum would not alter that fact. Ferrari’s decision to reject the ransom payment aligns with current trends in the cybersecurity sector, where paying for data increases the likelihood of future attacks, possibly from the same threat actors, as indicated in a report by Cybereason.
The company reported the incident to the authorities and collaborated with external service providers to “further bolster [its] systems.” Ferrari assured that the breach has not impacted its day-to-day operations.
This is not the first instance where an unauthorized party has claimed to have accessed Ferrari’s internal systems.
In October 2022, shortly after Ferrari announced its collaboration with cybersecurity firm Bitdefender in the Formula 1 arena, a ransomware faction known as RandomEXX stated that it had extracted 7 GB of files from the Italian carmaker, including data sheets and internal documentation. Ferrari disputed these claims of a ransomware intrusion, asserting that they had no proof of any breach at the time.
It remains uncertain whether these two incidents are linked; however, it seems improbable that Ferrari would delay informing customers of a breach for over five months, particularly in light of the European Union’s strict regulations on data privacy. Nevertheless, it is plausible that Ferrari did not uncover evidence of a possible breach during the October episode or only recently affirmed data loss. Ferrari’s statement implies that the company had already engaged a third party in conducting incident response and mitigation, a process that can extend over weeks, months, or more, depending on the firm’s size and the severity of the breach. The company has chosen not to offer further details on either breach, citing an ongoing criminal inquiry.
Do you have information or queries for the author? Reach out directly: rob@thedrive.com