Stellantis, one of the world’s leading car manufacturers, has confirmed it was affected by a cyber incident targeting a third-party supplier.
In a September 21 statement, the group said it “recently detected unauthorized access to a third-party service provider’s platform that supports our North American customer service operations.”
The carmaker also confirmed that customers’ personal information was potentially exposed but was “limited to contact information.”
No store financial or sensitive information was accessed by the attackers, added Stellantis.
The group has quickly activated its incident response protocols to shed light on how its systems and those of its third-party supplier have been affected. It also initiated “a comprehensive investigation and took prompt action to contain and mitigate the situation,” the statement read.
“We are also notifying the appropriate authorities and directly informing affected customers.”
Affected Stellantis customers have been told to expect potential phishing attempts and urged to avoid clicking on suspicious links or sharing personal information in response to unexpected emails, texts or calls.
On September 22, the group Shiny Hunters, believed to be part of the cybercriminal collective The Com, claimed responsibility for the breach.
BleepingComputer, a cybersecurity media outlet, reported that the breach affecting Stellantis’ supplier is part of a recent wave of Salesforce data breaches linked to ShinyHunters.
Earlier this month, a cybersecurity incident “severely disrupted” Jaguar Land Rover’s (JLR) retail and production operations, initially forcing the British carmaker to halt factory production until September 24.
More recently, JLR confirmed the halt would be extended for another week, until at least October 1.
Stellantis in Difficult Financial Situation
Stellantis is one of the world’s largest automotive companies, with an annual revenue of $169.758bn in 2024.
The group was founded in January 2021 from the merger of Fiat-Chrysler Automobiles and PSA Group and owns many major car brands, such as Alfa Romeo, Chrysler, Citroën, Fiat, Jeep, Opel, Peugeot and Vauxhall.
The cyber incident news broke in a difficult moment for the group, who saw its revenue drop to $76.320bn for the period from June 2024 to June 2025, a 34.24% decline year-over-year.
Additionally, the automotive group announced on September 22 that a factory employing 2000 people in Poissy, on the outskirts of Paris, was suspending production for 15 days.
The halt, from October 13 to 31, will help the group “adjust its production pace to a challenging European market and better manage inventory levels before the end of the year,” a Stellantis spokesperson told AFP.
Stellantis was contacted by Infosecurity about the third-party breach but declined to provide further information.
Photo credits: odecam / rikstock / Shutterstock.com
