The Details of 384,319 BMW Owners Are for Sale on the Dark Web

• Hundreds of thousands of BMW owner details are now available for purchase on the dark web.
• The data seems to derive from hacking a car dealership or an automotive call center in the UK.
• Not many details about the breach have been made known, and BMW hasn’t responded officially yet.

KELA researchers have shared one of their most interesting recent findings with TechNadu, and it looks like it concerns BMW and 384,319 of its customers in the UK. Apparently, the prolific hacking group that is known as “KelvinSecurityTeam” has posted a database they acquired when hacked ‘bmw.com.’ This is the same group of actors that recently sold databases from 16 companies, including the business consulting firm “Frost & Sullivan.” The data that is included in the most recent listing includes initials, surnames, email addresses, home addresses, vehicle numbers, dealer names, and various other details like MOT dates, etc.

Source: KELA

KELA decided to investigate further, as the listing seemed to be a serious data leak with severe consequences for the BMW car owners, and so they obtained the database. The data in the listing doesn’t seem to derive from ‘bmw.com’ as the hackers claim - but from one of BMW’s car dealers in the UK, or possibly a call center that manages the tickets of various car brands customers. The records are actually 500,000, and they also include details of owners of Mercedes, Seat, Honda, Hyundai, and other car marques. The validity and the dates of the data seem to be valid, and they are dated between 2016-2018.

Back in December, we covered the news of Vietnamese hackers compromising the BMW network and Hyundai, installing the “Cobalt Strike” tool on the target computers and engaging in cyber-espionage operations. However, it is unlikely that the two stories have a connection. These past incidents were most probably launched by state-supported Chinese actors, not hackers whose goal is purely financial. Neither BMW nor any dealerships in the UK have responded with an official announcement on this story yet, so anything regarding the security incident remains blurry.

And this is where the role of the customer should come into play. Contacting your dealership and asking for explanations would be a solid first step. Informing the UK data protection officer would also be key in launching an investigation that will get to the bottom of this.

Finally, when contacting customer support, try to share the minimum PII with them or even share fake information when the request is non-critical. The “KelvinSecurityTeam” is just one of the countless actors that move offensively online, stealing data and selling them on the dark web. That said, the odds of finding your data being treated as a tradable commodity by multiple actors simultaneously without you even knowing it are overwhelmingly high.