Intelligence experts KELA recently announced that almost 500,000 customer records of different car suppliers were being offered for sale on the dark web by hacking group “KelvinSecurity Team”.

According to reports, almost 400,000 UK based BMW customers’ data is being sold on the online black market. This data includes the initials and surnames of car owners, home addresses, email addresses, the names of dealerships and car-registration information. The data of Mercedes, SEAT, Honda and Hyundai car owners also form part of the compromised customer records.

Analysis of the records by KELA revealed the hackers may have extracted the data from a UK based BMW car dealer or a call centre that manages customers of different car suppliers.

This data breach highlights the common tactic hackers employ by targeting a “weak link” in an organisation’s supply chain to gain unauthorised access to customer data. To mitigate the risk of a third party supplier or group entity becoming the “weakest link” in your supply chain, we recommend:

• conducting due diligence on potential suppliers or group entities to assess their privacy compliance and information security procedures;
• including robust privacy and data security clauses in your agreement with suppliers; and
• working with your suppliers or group entities to improve their overall privacy capability and cyber resilience, such as conducting training and raising awareness of the privacy and information security standards you expect of your suppliers or group entities.