Personal Data of Over 184K People Stolen From AutoZone

Leading American automotive parts company, AutoZone, disclosed being victim to the June 2023, CI0p ransomware exploited MOVEit zero-day vulnerability attack. In individual notices, potential victims were warned about the exposure of their personal information.

According to the issued notification, the company suffered an indirect breach which led the unauthorized attackers to access sensitive information of around 184,995 people.

“AutoZone became aware that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain data from an AutoZone system that supports the MOVEit application,” the notice said.

It went on to say that the exfiltration of data was confirmed on or around August 15, 2023, post which the company decided to investigate the incident with the help of third-party security experts.

After three months of investigation, it was able to determine the type of data that was stolen and number of impacted victims. However, the notification did not reveal any details about the stolen information. Information about the type of data (name, other personal identifiers, combined with Social Security numbers) could only be determined in the disclosure to the Office of The Maine Attorney General.

AutoZone confirmed implementing the needed remediation security measures, including a 12-month complimentary identity theft protection service for impacted victims. It also advised people to remain vigilant and report any suspicious activity or fraud to the concerned authorities.

The May 2023 attack has already claimed millions of victims and impacted over two thousand organizations worldwide; resulting in several instances of extortion and stolen data leaks. Some of the prominent companies who either found their data published or ended up paying the ransom include TomTom, Toyota, Pioneer Electronics, ING Bank, Shell Global.