A California law requires companies to disclose if more than 500 state residents have been affected by a data breach. GM filed such a notification with the California Office of Attorney General on May 16, revealing that it discovered malicious activity on GM user accounts between April 11 and 29. IT Guru first reported the mandated disclosure. The law doesn’t force companies to reveal how many people were affected, though, so all we know at the moment is that the figure exceeds 500.
The automaker says the hack did not break into GM systems. Instead, we’re told accounts were targeted by a tactic known as credential stuffing, when hackers get login credentials that have been used in a breach elsewhere and try them in new locations. In this case, the hackers got into customer accounts using old credentials, then stole customers’ reward points and redeemed them for gift cards.
According to Gizmodo, the thieves did not get vital personal nor financial information like birthdays, social security numbers, driver’s license and credit card numbers, or bank info. The carmaker said such data isn’t stored in an owner’s GM account.
But the thieves got a load of other info that some black hat group will surely try to pair with some other list of stolen information. The compromised data points are: First and last name, user name, phone number, home address, email address, profile pics and avatars and photos, search and destination history, last known location, favorite locations, reward points, and the applicable OnStar package.
A GM statement said, “We took swift action in response to the suspicious activity by suspending gift card redemption and notifying affected customers of these issues. We also took steps to require those customers to reset their passwords at their next log in, and we reported this incident to law enforcement.” And GM replaced reward points for every customer that had points stolen.