Criminals take Renault UK customer data for a joyride Renault UK customers are being warned their personal data may be in criminal hands after one of its supplier was hacked. In an email sent to affected individuals this week, seen by The Register, the French carmaker said attackers accessed the supplier's systems and made off with customer details including names, gender, phone …
You gave your details to Renault, they entrusted them to a 3rd party which you probably didn't realise, then the 3rd party got hacked and your personal details are out in the wild. Who is actually responsible for this Renault or the anonymous 3rd party, and who will protect the individuals concerned and cover their losses from the data breach?
Too many companies trusting *our* data to 3rd parties.
It is a convenient way to shift responsibility.
Renault are the data owner and is they contract a third party it should make no difference. Renault must still be responsible however the third party is also culpable. Just like any big business hiding behind contracts, outsourcing and third parties is standard practice so that those who ultimately should be responsible are not.
Just like all the double glazing companies with a 10 year guarantee but the business is wound up every other year.
The party you entrusted your data to is responsible from your perspective. It doesn't matter that they handed it to a 3rd party (which should have been bound to the same rules before it got its hands on any data), Renault UK is the party that has to answer to you.
That they will pass on the deserved flogging to this 3rd party is understood, but that should not be your problem AFAIK - it was their job to assure themselves that the 3rd party was safe enough to handle your information on their behalf. That is, BTW, the main vector by which large companies get attacked: attack the supply chain, which is populated by smaller companies that have fewer resources to protect themselves.
A quick search suggests the global Renault IT suppliers are Atos, Cap Gemini, Dassault, Google Cloud, Salesforce and possibly a dash of Azure.
If a Renault UK user was compromised, the data subsequently stolen might well be limited in scope to the UK. I wonder which supplier that points to, if the unnamed guilty party is in the above list ?
And thinking of how these franchises are structured, exactly who is responsible in the above scenario? Renault, certainly, but the global group or the UK franchise ? That could make a difference to getting an adequate response (ha!) if your data is in the pot.
Why did Renault give so many of the car owners details to a supplier?
As Renault hold the original data and, presumably, passed the data on to their suppliers, the Data Protection responsibility probably still lies with Renault in the first instance for giving the data to a third party.
The ICO will have an interesting time working out who to fine. Renault too will be looking for compo from someone.
Another week another database hack.
It must be all of their contact databases / details. I'm wondering if related to the dealer network - some people are saying their only interaction with Renault was a test drive many years ago.
My wife's details are only on the sale documentation of our car - she doesn't think she has ever had an email from Renault beyond interaction with the dealer. I got the email - my interactions include warranty management and signing up to their app.
Ironically - they probably brought together all of their contact databases to allow them to comply with GDPR (etc).
" carmakers proving a rich target thanks to the mountains of personal data gathered during sales, servicing and financing. "
... and not giving a f**k to store it even remotely safely. There's no profit in it so they don't do it.
One reason a new car (from a dealer) is a serious no-no: Cars are full of spyware and *all* the data they collect, is stored in an non-encrypted S3-bucket (or similar) somewhere.
Because actually protecting it would cost money.
--- modern cars offering no privacy at all is another problem, but the absolute sloppyness in handling that data is even worse: "Just send everything in plain text over internet, cheaper that way".
The data leaked included contact information, car details and personal information such as date of birth. They have said that this did not include financial information or passwords. Given this mix of data items, the most likely use of this lost data, in my opinion, is for CRM aka marketing. And one of the most likely third party service providers for this activity is Salesforce, especially given their recent huge breach.
As it this is the only valuable information in a data breach. After getting everything else so it's easy to match up the person in a big data archive, they now have make/model/year of the car that person drives which can broadly be used to estimate income.
There was a story some years ago about Target compiling information on its rewards card holders and had a good take on when a woman became pregnant. In the story, the woman was a teenager whose father was, not informed of the girls dilemma, unhappy about all of the advertisements for baby stuff arriving for the daughter. He made his unhappiness known to the local store manager and later went back to apologize. Given enough information on somebody, lots of non-disclosed information can be derived. I had a friend that got scammed and realized it immediately after so was able to cut if off before too much damage was done. The person that called "from the cable company" had an enormous amount of information with the exception of one tiny little thing that he socially engineered out of her. I keep telling her that smoking pot is a bad idea and she may have only been firing on a few cylinders when she answered the call that evening which is why she got taken in. There are legitimate companies that will ask to "verify" information by which they really mean they want you to tell them that information over the phone and I'm not even confident that if I call a toll-free number that it's gone to where I expect it to have gone.
Any data breach these days is an issue as there are more and bigger companies collecting and collating it. Companies such as Google make lots of money from ads, but they make more selling PII and targeted marketing services.
It’s easier to blame the supplier than to do proper security due-diligence when contracting the supplier in the first place.
All of the corporates which I provided security consultancy for, had a comprehensive and well-rehearsed process for doing this 3rd party security due-diligence. In some cases I helped them create it or strengthen it.
On occasions you would come across a company which was much larger than your own little corporate and they wouldn’t submit to individual audits of their security processes. However, those with robust security would generally have a pre-prepared statement which answered most questions we would have asked. Those that didn’t play ball, well, what approach you took depended upon who and what they were.
Renault, given their scale, should not have had this issue. It would be interesting to see their process for vetting the security practices of the suppliers that they entrust our data to.
As an aside, as a buyer of the first batch of Alpine-Renault A110 when they came out in 2018, I also received this email.
SS
Well, I needed a radio code for a 2007 Clio and HAD to submit it in an email. Renault have contacted me in regards to this, as have a solicitor, so looks like Renault have admitted fault and are probably expecting a payout to people.
I hope its more than £300, which would mean I got a car for free...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
