Ferrari disclosed a data breach impacting the customer data of an undisclosed number of individuals after a threat actor made a ransom demand.
The Italian luxury automaker said it was contacted by a threat actor demanding payment after a cyber incident involving “certain client contact details.”
Ferrari confirms data breach but rejects ransom demands
According to Ferrari CEO Benedetto Vigna, the threat actor accessed a limited number of IT systems and potentially obtained customers’ names, addresses, email addresses, and phone numbers.
While it takes time for the full extent of a data breach to become apparent, Ferrari believes the incident did not expose customers’ financial or payment information. Wealthy individuals like Ferrari’s customers are a goldmine for cybercriminals. Subsequently, leaking their personal information could expose them to targeted phishing attacks that could eventually compromise their payment information.
However, the company explained customer data breach had no material impact on the automaker’s operations.
“We can also confirm the breach has had no impact on the operational functions of our company.”
Seemingly, the threat actors did not encrypt Ferrari’s computer systems during the suspected ransomware attack. Threat actors frequently skip the tedious encryption process, given the widespread use of backups, or the process fails halfway. Additionally, skipping the encryption process helps them avoid attracting the attention of law enforcement, given the intense publicity of ransomware attacks.
Heath Renfrow, a co-founder of Fenix24, believes that “the lines are getting blurred between ransomware and extortion since these actors use tactics both together and interchangeably.”
Meanwhile, Ferrari said it turned down the ransom request and instead notified the victims to mitigate the impacts of the customer data breach.
“Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.”
The luxury sports automaker believes that paying ransom perpetuates the cycle of more cyber attacks.
“As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks,” the company added.
Ferrari is working with a leading third-party cybersecurity firm to bolster its defenses and increase cyber resiliency. It also reported the cyber incident to the relevant authorities for further action.
Reiterating its commitment to data security, Ferrari said it takes the confidentiality of its clients “very seriously and understands the significance of this incident.”
According to Dror Liwer, Co-founder of Coro, customer data breaches have direct and indirect expenses in the form of lost revenue during disruptions and potential lawsuits and fines.
“While most organizations view customer data as an asset, when it’s stored in an unencrypted fashion, it’s actually a liability,” Liwer explained. “Beyond the obvious damage such a data leak represents, the reputational damage, especially for a premiere brand, could be quite significant.”
Cause of data breach and impact on customer data still unknown
Ferrari did not disclose when the suspected ransomware attack occurred, the ransom amount demanded, the volume of customer data leaked, the number of victims, or the threat group responsible.
However, in October 2022, an Italian daily newspaper Corriere della Sera reported that a ransomware group identified as “RansomwareEXX” claimed to have breached the luxury automaker and exfiltrated 7GB of data, including internal documents, datasheets, and repair manuals.
Ferrari denied the allegation then, saying it had no evidence of any data breach or ransomware attack on its systems.
Another cybergang, Everest, targeted a Ferrari parts supplier, Speroni spa, and leaked the automaker’s projects. The Speroni data breach also impacted other luxury brands, such as the Volkswagen/Audi-owned Lamborghini and the Stellantis-owned Maserati.
“Ferrari’s data breach follows a number of similar, high profile incidents, such the Activision and Google Fi in breaches in February of this year, and Uber in December 2022,” said Andrew Whaley, Senior Technical Director at Promon. “These incidents raise important questions about both the global cyber security threat level, and the adequacy of corporate cyber defence.”
Jason Middaugh, CISO at Inversion6, believes Ferrari handled the incident excellently because paying the ransom cannot guarantee that the cybercriminals will not publish the stolen data.
However, Jon Miller, CEO & Co-founder of Halcyon, noted that refusing to pay the ransom does not deter cybercriminals from breaching organizations.
“Not paying ransom demands does not end the financial incentive for these attacks – defeating the attack before they can exfiltrate data and before they can disrupt operations is the only way to make these attacks unprofitable.”
