I probably use my iPhone’s real, actual phone feature a lot more than the average person, being a journalist and all. I talk on the phone with people every day, and when an unfamiliar number flashes up on my phone screen, I usually pick up, assuming it has something to do with work.
Everyone outside of my industry I speak with seems to avoid talking on the phone altogether. I can understand why. Half the phone calls I get are just straight-up spam, with either an automated voice or someone trying to sell me something on the other end. If I didn’t have to use my phone for a living, I’d definitely just ignore any number that wasn’t saved in my contacts.
If you own an Alfa Romeo, Chrysler, Dodge, Jeep, Maserati, or Ram, you should probably do the same. Stellantis on Sunday announced that a third-party service provider that supports the company experienced a data breach, with hackers gaining unauthorized access to customer data, specifically contact information. According to a new report from BleepingComputer, up to 18 million records could have been stolen.
Stellantis’s brief statement from Sunday doesn’t really say much, other than letting the public know something happened and that it responded:
We recently detected unauthorized access to a third-party service provider’s platform that supports our North American customer service operations.
Upon discovery, we immediately activated our incident response protocols, initiated a comprehensive investigation, and took prompt action to contain and mitigate the situation. We are also notifying the appropriate authorities and directly informing affected customers.
The company goes on to say that only “contact information” was involved in the data breach, but doesn’t specify what sort of contact info or how many pieces of data were taken. These data points could be anything from names to phone numbers to email addresses. Importantly, Stellantis says no financial or “sensitive” personal information was accessed.
Then there’s this report from BleepingComputer, which claims to have actually talked to the hacker group behind the breach. From the piece:
Although Stellantis didn’t share more information regarding this attack, BleepingComputer has learned that it is part of a recent wave of Salesforce data breaches linked with the ShinyHunters extortion group, which has affected numerous high-profile companies.
Earlier today, ShinyHunters claimed responsibility for the Stellantis data breach and told BleepingComputer that they had stolen over 18 million Salesforce records, including names and contact details, from the company’s Salesforce instance.
A Stellantis spokesperson declined to comment when I reached out about the above claims.
The BleepingComputer report goes on to say that this string of data breaches, which has also affected brands like Google, Cisco, Farmers Insurance, and Workday, has been done through voice phishing attacks. Anyone who’s taken one of those silly corporate training courses has probably heard of this before. These attacks, sometimes known as “vishing,” use good old-fashioned audio calls to trick people into giving up information. Here’s how Bank of America describes it:
It usually comes as a phone call that sounds urgent or alarming. An unsolicited caller tells you your bank account has been compromised and that they need your PIN so they can verify your identity or unlock the account. Or they say they’re from a government agency, such as the IRS or the Social Security Administration. Sometimes they insist you owe money. Or they might announce you’re a lucky winner — but you’ll need to pay for shipping and handling to claim your prize.
[…]
One of the reasons these deceptions can be so convincing is that criminals can use personal information they’ve harvested from other sources to make a vishing attempt sound like an honest exchange. They also spoof phone numbers that belong to established organizations, which makes them appear legitimate on your caller ID. And they may lower your defenses with excellent imitations of call center professionals.
Pretty scary stuff. Stellantis is acutely aware of how someone’s contact info can be weaponized against them, so it’s told owners to be extra cautious:
We encourage customers to remain vigilant against potential phishing attempts and avoid clicking on suspicious links or sharing personal information in response to unexpected emails, texts, or calls. Customers with questions or who wish to verify communications, should contact Stellantis directly through official channels.
My recommendation? If someone calls you claiming to be a Chrysler Capital employee looking for this month’s loan payment, just hang up and call the place yourself to double-check things. That might sound rude, but better to be safe than sorry.
Top graphic images: Dodge; DepositPhotos.com
Support our mission of championing car culture by becoming an Official Autopian Member.
“If you own an Alfa Romeo, Chrysler, Dodge, Jeep, Maserati, or Ram“
SRT owners proven to have good judgment once again.
But what if it’s the Rapture calling?
As if it wasn’t bad enough that you made the poor life choice of getting a 7-passenger penalty box (The Dodge Journey), but that you also bought a Stellantis product. And now you’re getting scammed! Ouch.
The Journey was not a Stellantis product. It was discontinued in 2020, the Steplantis merger happened in 2021.
Oh, they’re not scammers – what you do is, see, you give them all of your credit card numbers, and if one of them is lucky, they’ll mail you a prize
Why does an automaker need my contact information? Just asking.
With Chrysler, its to inform you of the 20 or so recalls you’ll have during the ownership experience.
They need it to provide you personalized services (mostly postcards telling you that they need you to bring it in for a recall or reminding you that you could buy a new one) and sell your information.
The latter is probably the big one. They aren’t mad at the hackers for getting your info. They just wanted to charge them for it.
So, they don’t. OK!
I do think the recall notifications are important. Especially for Stellantis. But, yeah, it should be the minimum information needed to accomplish the task at hand, so I think it should just be a mailing address. No phone number, no demographic data, no attached history beyond the address and relevant vehicle. I don’t even think it needs to have your name attached. They can mail the recall notice to “owner of a [year, make, model].” How they get informed about moves and changes of ownership, I’m not sure, but I think that’s solvable with a lot less info than they keep currently.
They have data feeds into the state registration databases to update ownership status. This is a requirement so that they can properly notify owners in case of a recall.
I’m mostly unsure if it’s something they could use to connect a VIN to an address without collecting any further info or if they’ll always end up with the name of the registered owner. It seems like that should be possible to do without the name, though. Send recall notices to registered address, never note the owner’s name. Suddenly, the information you have is just a list of addresses without identifying information.
I absolutely agree with you, but we seem to have decided allowing corporations to stockpile as much data about us as possible, and if there aren’t legal protections stopping them, they absolutely will.
It gets worse though, even with just address it’s fairly trivial to use public information to tie that address to a human or humans, associated with it.
Sure, it’s trivial to tie an address to a person, but we don’t need to provide the hackers everything on a silver platter. At least make them guess or figure out which person’s name should be attached to the vehicle and don’t give them a whole bunch of other identifying info.
But I know it’s a pipe dream. We love to let companies do whatever they want with our data in this country, all while convincing people it’s China getting our data that’s the real problem.
Google says hello
I mean, for a “do not drive”-level recall, I’d be happy to receive a phone call
Just getting prepared for the next class action lawsuit, probably.
If I want to talk to someone, I will call them. But I don’t.
Leave me a message and I’ll call you back. They generally don’t though. Maybe they don’t like me that much?