Skip to main content

1.6 million hit in possible Mercedes-Benz data breach — what you need to know

Mercedes EQS
(Image credit: Daimler)

Mercedes-Benz USA yesterday (June 24) disclosed a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and actual customers, including names, street addresses, email addresses and phone numbers.

In addition, said Mercedes-Benz USA, "less than 1,000" people had very sensitive personal information — such as "driver's license numbers, Social Security numbers, credit-card information and dates of birth" — exposed. Mercedes-Benz said it would provide free credit monitoring and identity-theft protection to those individuals.

If the data was indeed stolen (there's no evidence yet that it was), then those 1,000 or so individuals are at elevated risk of identity theft. A full name, street address, date of birth and Social Security number are often all you need to open accounts in someone else's name. 

Anyone told by Mercedes-Benz USA that that very sensitive information was exposed should consider accepting the credit-monitoring offer, though be sure to read the fine print as signing on may limit your options for legal action in the future. Alternately, you might want to consider paying for one of our best identity theft protection services.

You should also notify one of the Big Three credit-reporting agencies to place a fraud alert on your credit file, and that agency will notify the other two of the Big Three. You may want to consider instituting a credit freeze as well, though that can have some unexpected side effects. Here are instructions on how to place a fraud alert and credit freeze.

Mercedes-Benz USA said it was told by the unnamed vendor on June 11, as "part of an ongoing investigation" into an "issue ... uncovered through the dedicated work of an external security researcher," that the data "was inadvertently made accessible on a cloud storage platform." 

This just happened to Volkswagen too

On that same day, June 11, Volkswagen of America disclosed that it too had had the personal data of 3.3 million prospective and actual Audi customers exposed on an unnamed third-party vendor's database. Some of the Audi data later showed up for sale in an online cybercrime marketplace. 

The timing and striking similarities between the two incidents involving the North American branches of German luxury carmakers may be only circumstantial.

For the moment, it's not clear whether any of the Mercedes-Benz data was stolen from the database before its unprotected state was discovered and fixed. 

"We have no evidence that any Mercedes-Benz files were maliciously misused," the company said. "No Mercedes-Benz system was compromised as a result of this incident."

The company said that anyone trying to view the exposed data "would need knowledge of special software programs and tools" and that "an internet search would not return any information contained in these files."

The data was entered into Mercedes-Benz USA dealer and company websites by customers and prospective buyers between Jan. 1, 2014 and June 19, 2017, the company said.

If you have concerns, you can call Mercedes-Benz USA at (800) 367-6372.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.