Nearly 185,000 AutoZone customers are getting a lot more than they bargained for. The car parts retailer recently notified authorities that it had been the victim of a ransomware attack earlier this year, in which the hackers accessed the personal information of thousands of customers.
The company filed a breach notification with the Maine Attorney General’s office, stating that the hackers had obtained the full names and Social Security numbers of its customers. AutoZone said the hack took place in May and noted that the attack came from a vulnerability in MOVEit, file transfer software used by thousands of companies. Researchers found that the software led to 62 million people’s data being breached, making it one of the largest in recent times.
While credit card numbers and other personal information leaking is bad enough, Social Security numbers floating around on a hacker’s hard drive open up a world of identity theft possibilities. Companies generally offer a period of credit services after breaches like this, and AutoZone customers will get a year of credit monitoring.
If you’re wondering why it took the company six months to report the hack, it’s important to remember how complex some of the breaches can be. It takes time to determine the scope of the hack, and companies then have to conduct forensic documentation to locate and patch any vulnerabilities. It’s unfortunate that it takes so long, however, as it gives the hackers a giant head start to sell and use customers’ data.
Though the company reported the breach in Maine, its customers are nationwide. Interestingly, the state itself was part of the hack. In addition to the AutoZone breach, the MOVEit hack exposed the data of almost the entire state of Maine’s population. The state said that the bad actors had accessed data on 1.3 million people – the vast majority of its people. Federal government emails were also breached, along with Medicaid and Medicare data.