Ferrari was hit with a ransomware attack that exposed customers’ personal information.
It’s not clear when Ferrari’s Italian subsidiary was contacted by a hacker or group with a ransom demand related to the exposure of customer information nor did Ferrari disclose the ransom amount.
Ferrari said it is investigating the breach with an unnamed “leading global third-party cybersecurity firm” and has informed law enforcement authorities.
Ferrari’s policy is not to pay ransom demands to hackers because the company thinks it will perpetuate cyberattacks.
While many companies will pay white hat hackers to find vulnerabilities, the auto industry pays among the least for discovering potential breaches, according to research by San Francisco’s HackerOne. It operates bug bounty programs for BMW, Ford, Rivian and Toyota.
“Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident,” Ferrari said in a statement. “We can also confirm the breach has had no impact on the operational functions of our company.”
Ferrari said it is working with third parties to reinforce the company’s information technology systems.
It’s not clear if Ferrari encrypted their customers’ data.
“While most organizations view customer data as an asset when it’s stored in an unencrypted fashion, it’s actually a liability,” said Dror Liwer, co-founder of Israeli cybersecurity company Coro.
Organizations facing extortion-related data leaks possibly face direct financial damages from lawsuits, fines, and loss of revenue from lawsuits and regulatory actions, Liwer said.
The number of publicly reported automotive cyberattacks is on the rise. In 2022, Israeli cybersecurity firm Upstream counted 268 publicly reported automotive cyberattacks, up from 245 incidents publicly reported in 2021.
Ferrari plans to make 80 percent of its cars battery electric powered by 2030. These EV offerings are likely to become even more software dependent and Internet connected in the coming years, possibly providing more avenues for cyberattacks.
Companies have a few avenues to deter ransomware attacks, said Javvad Malik, an executive at KnowBe4, a Clearwater, Fla., cybersecurity consultancy and training company.
“When it comes to ransomware, most attacks are successful through phishing, taking advantage of poor credentials or by exploiting unpatched vulnerabilities,” Malik said. “So at a bare minimum, organizations should focus on these avenues of attack.”