Like almost every major corporation in the world, Ford has to deal with hackers and potential data breaches on a regular basis. Previously, a Ford data breach occurred back in 2018 and one year later, in 2019, though thankfully at least one of them was caused accidentally by a third party. Apparently, another potential Ford data breach was avoided back in Q1 of 2021 thanks to a group of cybersecurity researchers, or “friendly hackers” as they’re otherwise known, according to the Detroit Free Press.
“Based on evidence provided to Ford and our internal investigation, we don’t believe any sensitive personal information about employees or customers was accessed or compromised in this instance, which was identified and addressed nearly six months ago,” Ford spokesman T.R. Reid told the Free Press. “The safety and trust of customers and employees is a top priority for our Ford cybersecurity team and processes.”
Researchers discovered that they were able to access customer and employee records, internal support tickets, user profiles, and finance account numbers. “A bug on Ford Motor Company’s website allowed for accessing sensitive systems and obtaining proprietary data, such as customer databases, employee records, internal tickets,” said information and technology news website bleepingcomputer.com. The “data exposure stemmed from a misconfigured … customer engagement system running on Ford’s servers,” according to the site.
“The impact was large in scale. Attackers could obtain troves of sensitive records, perform account takeovers, and obtain a substantial amount of data,” said security engineer Robert Willis, who originally discovered the vulnerability. “Researchers shared many screenshots of Ford’s internal systems and databases with BleepingComputer. For example, the company’s ticketing system.”
Prior to now, Ford did not publically state whether or not there was a data breach, telling BleepingComputer “the findings you submitted … are considered private. These vulnerability reports are intended to prevent compromises which may require disclosure.”