Ferrari suffers data breach and refuses to pay ransom

21 Mar 2023

Image: © ymgerman/Stock.adobe.com

The stolen data reportedly includes customer names, addresses, emails and telephone numbers, with no evidence that payment details were included in the breach.

Luxury sports car maker Ferrari has confirmed customer data has been stolen in a ransomware attack.

The company said it was contacted by a threat actor, demanding a ransom related to “certain client contact details”. Ferrari said it immediately started an investigation in collaboration with a cybersecurity company and contacted relevant authorities.

The stolen information includes customer names, addresses, email addresses and telephone numbers, according to a breach notification letter seen by BleepingComputer. A similar email from Ferrari CEO Benedetto Vigna was also seen by Bloomberg.

Ferrari said the breach has had “no impact” on its operations and that it is working with third parties to reinforce its systems following the incident. The car maker also said it has no intention of complying with the ransom demands.

“As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks,” the company said in a statement. “Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.”

The type of personal data stolen from this breach can be used by hackers in phishing attacks, which is when criminals try to trick people into revealing sensitive data or installing malware.

Ferrari said in the email to clients that it has found no evidence that payment details or credit card number were stolen in the breach.

Rob Bolton, the VP of the EMEA region for Versa Networks, said Ferrari should be “praised” for confirming they will not pay any ransom demand.

“It is essential that organisations in similar situations do the same,” Bolton said. “Paying ransom demands is no guarantee that stolen data will be returned, and it will only help fund future ransomware activity.”

Last August, a survey from IT service provider Typetec found that around one-quarter of Irish SMEs have paid ransomware criminals multiple times, with the average ransom amount being €22,773.

This survey also found that more than two-thirds of those that paid a ransom still had their sensitive data leaked into the public domain.

“Even though the ransom has not been paid, there will still be concern among customers not knowing who has access to their data and what they’re using it for,” Bolton said “Stolen employee data usually ends up being sold on the dark web and can be used to commit further crimes such as identity theft and fraud.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com