Japanese car maker Mazda Motor Corporation has disclosed a data breach impacting the personal information of hundreds of employees and business partners.
The incident, the company says, was discovered in mid-December and involved “unauthorized access to the management system used for warehouse operations involving parts procured from Thailand”.
The information belongs to employees of Mazda and its group companies, and to business partners. A total of 692 records were compromised, the company said in an incident notification (PDF).
The exposed information, the car maker says, includes company-issued user IDs, names, email addresses, company names, and business partner IDs.
Mazda says no customer information was compromised in the attack, as this type of data is not stored in the hacked system, “and therefore there is no possibility that such information was affected”.
It also noted that the hackers accessed the management system by exploiting security defects in the application, but did not name the software and did not specify which bugs were exploited.
“The cause of this incident was determined to be unauthorized access by a third party through the exploitation of security vulnerabilities in the system used for the company’s business operations,” Mazda said.
In November, the car maker confirmed to SecurityWeek that it had been targeted in the Oracle E-Business Suite (EBS) hacking campaign, but said at the time that it had not found evidence of data leakage.
Mazda says it reported the newly disclosed data breach to the relevant authorities, promptly applied security patches, revised access policies and access monitoring, and restricted internet access.
“Currently, no secondary harm has been confirmed. However, there is a possibility that the exposed personal information could be misused in the future, such as for phishing scams or spam emails. If you receive any suspicious communications, please exercise caution,” the company said.
Responding to a SecurityWeek inquiry, a Mazda spokesperson refrained from sharing details on the compromised management system, but suggested that the newly disclosed incident is not related to the Oracle EBS hack.
The spokesperson did not attribute the attack to a specific threat actor, citing the ongoing investigation and noting that “no contact from attackers has been confirmed.”
Related: Navia Data Breach Impacts 2.7 Million
Related: Marquis Data Breach Affects 672,000 Individuals
Related: Security Firm Aura Discloses Data Breach Impacting 900,000 Records
