BMW Brazil: ‘millionaires’ leak shows customers’ monthly income

2 reports arrived TecMundo Around 15 thousand Brazilian customers of luxury car manufacturer BMW are on display at the beginning of November. Spreadsheets provide details ranging from full names to monthly income.

This happened on November 18. delivered Two reports from TecMundo, “BMW Customers” and “High-Income Multimillionaires”signed”Brazilian hacker Joao do Cao”. In these, it is possible to track data such as full name, e-mail, CPF, CNPJ, date of birth, e-mail, telephone number, full residence/company address, relevant company and declared monthly income.

Customers who may be affected will of course be informed.

There are around 46 thousand records in the documents, but when copies are excluded, the leak affects around 15 thousand citizens. The “BMW Customers” list includes information on 14,856 people, while the “High-Income Multimillionaires” list lists 113 customers.

“The dossier was gradually built up through BMW dealers,” the anonymous source explains. TecMundo. “On the financing side, there was a change in systems at the end of 2023, and the new system would have vulnerabilities that allowed mass access to data that did not belong to the sellers’ customers,” he notes.

The source also explains that he had access to the exposed data because “a BMW dealer from Brasília (DF) collected this data and sold it to real estate agents and other professionals.” Segmented by income.”

THE TecMundo contacted BMW Brazil for positioning. The company comments: “Confidentiality and responsible use of customer data are top priorities for the BMW Group. BMW Serviços Financeiros do Brasil considers this issue to be very important. The company is investigating an incident related to data information security. Customers who may be affected will of course be informed.. The company strengthens its commitment to maintaining the security of its systems and protecting customer data from unauthorized access”.

Not only positioning but also TecMundoBMW Brasil states that it has investigated the facts and has not found any existing security vulnerabilities in the system. Additionally, the information contained in the spreadsheets will be from 2016.

According to Luciano Martini, NZN information security analyst “The leakage of personal information online can lead to serious risks that go beyond loss of privacy, such as the use of social engineering,” the report helps verify data.

“The data can be used in call centers and other systems to verify your identity by pretending to be the person exfiltrating the data, so the cybercriminal can rent services or provide loans on behalf of the victim,” Martini explains.

Companies also suffer from unauthorized data disclosure or internal manipulation. Martini points out that such leaks can lead to financial loss, damage to reputation and loss of customer trust.

“In addition, BMW may be responsible for complying with applicable laws and regulations regarding the protection of personal data, including notifying affected customers, cooperating with regulatory investigations, and implementing enhanced security measures to prevent future leaks. Companies should therefore take the privacy and security of customer data seriously and “It is important for companies to adopt stringent security practices, such as adopting security standards in their management systems, to minimize risk,” he concludes.

Dangers of such leaks

These types of leaks are dangerous because they encourage spear phishing, opening of orange accounts, and similar cybercrime activities. Spear phishing, for example, allows criminals to send spoofed messages specifically designed to gain greater success against a single target.

It is important to follow the steps below:

• Use second factor authentication (2FA) on all accounts through third-party apps (Google Authenticator, Microsoft Authenticator, Authy, etc.), no SMS
• Check financial transactions in the Central Bank Register
• Check for email and password leaks at Have I Be Pwned
• Avoid clicking on urgent messages via SMS, email and messaging apps (always check official channels if in doubt)