Carmaker Renault has been forced to notify an unspecified number of customers that their personal data may have been compromised by threat actors.
A notice posted to X (formerly Twitter) by security researcher Troy Hunt said a supplier was targeted in the incident.
“We are very sorry to inform you about a cyber-attack on one of our third-party providers, leading to some Renault UK customers’ personal data being taken from one of their systems,” it said.
“The third-party provider established that your data was included.”
Although no financial data or passwords appear to have been taken, the threat actors did manage to compromise:
- First and last name
- Gender
- Phone number
- Email and postal address
- Vehicle identification and registration number
As a result, affected customers can expect to be targeted by phishing attempts using the stolen data to add legitimacy to their scams.
“Be cautious of any unsolicited requests for personal information, especially requests made by email or phone,” the breach notice continued.
“You should never share your passwords online or on the phone – Renault UK will never ask you for this information.”
Gary Cannon, transport practice lead at NCC Group, said the attack should be seen in the context of a string of breaches in the sector, impacting JLR, Collins Aerospace and LNER.
“These cases highlight that supply chain security is a very much a business priority. Greater visibility, proactive detection capabilities, and response plans are essential to prevent widespread financial and operational damage in the instance of an attack,” he added.
“Vendor oversight from businesses is critical – an organization is only as secure as the weakest link in its supply chain.”
Renault was at pains to point out that its own systems were not compromised in this incident.
“The third party has confirmed that this was an isolated incident, which has now been contained and removed,” the notification read.
“We are working closely with them to ensure that all appropriate actions are being taken. We have notified all relevant authorities.”
Some individuals took to social media to say that customers of Renault’s budget brand Dacia were also impacted by the breach.
