Major Cyber Attacks Targeting the Automotive Industry 2025

The automotive industry isn’t just battling supply chain headaches and the race to electrification. It’s also facing a relentless wave of cyberattacks. From carmakers and parts suppliers to rental agencies and dealerships, attackers have found that the sector holds a goldmine of sensitive data, intellectual property, and operational systems ripe for disruption. Over the past year, we’ve seen breaches ranging from ransomware groups stealing design files to cloud misconfigurations exposing millions of drivers’ personal details. Below, we take a closer look at the most significant cyber incidents that have shaken the automotive world between 2024 and 2025.

Country Distribution of Dark Web Posts

Source: SOCRadar Dark Web News

Dark Web chatter around the Automotive Industry is heavily skewed toward the United States, which accounts for nearly a quarter (23%) of all related posts. France (8%) and India (7%) follow at a distance, with Russia and China each making up just under 5%.

Southeast Asia also features in the mix, with Indonesia and Thailand collectively contributing over 6%.

The distribution suggests that while threats and illicit activity are global, the U.S. remains by far the most targeted or discussed market in underground forums.

Industry Distribution of Dark Web Posts

Source: SOCRadar Dark Web News

Dark Web discussions span a wide range of industries, with public administration (13%), information services (11%), and finance and insurance (10%) taking the lead as the most frequently mentioned targets.

Retail trade (8%) and online shopping platforms (6%) also feature prominently, reflecting attackers’ continued focus on consumer-facing sectors.

Technical and educational services both hover around 4%, while emerging sectors like cryptocurrency and NFTs represent just over 3%.

At the bottom of the list, automobile dealers account for less than 1% of the chatter. While automobile dealers make up less than 1% of the dark web posts, the real share of automotive-related activity is higher because many of the larger sectors such as finance, retail trade, technical services, and information also include companies that operate directly within or alongside the automotive industry.

Avis Confirms Data Breach Affecting Nearly 300,000 Customers

Source: David Paul Morris/Bloomberg News

Avis Rent a Car has disclosed a major data breach after discovering that hackers accessed one of its business applications earlier this summer. In notices filed with Attorneys General in California, Texas, Maine, and Iowa, the company revealed that an “unauthorized third party” broke into its systems between August 3 and 5, 2024.

According to Iowa’s filing, the breach impacted 299,006 customers. The exposed data includes sensitive personal information such as names, mailing and email addresses, phone numbers, dates of birth, driver’s license numbers, and even credit card details with expiration dates.

240GB of Toyota U.S. Data Shared on Dark Web

Source: SOCRadar Dark Web News

Toyota confirmed that customer and employee data was leaked online following a breach at a third-party entity connected to the company. The disclosure came after a hacker group known as ZeroSevenGroup published a 240GB archive of stolen files on a Dark Web forum.

The leaked data reportedly includes information on Toyota employees and customers, contracts, financial records, and even network infrastructure details such as credentials. The hackers claim they gathered the information from a U.S. branch using ADRecon, an open-source tool that maps Active Directory environments.

Toyota stressed that its own systems were not directly compromised. The company emphasized that the incident was “limited in scope” and not a “system-wide issue.” A follow-up clarification said the data originated from a third-party entity that was “misrepresented as Toyota.”

This is not Toyota’s first brush with data security challenges. In 2023, the company admitted that a misconfigured database had exposed the location data of 2.15 million vehicles for nearly a decade, and later discovered two additional cloud misconfigurations leaking data for more than seven years.

That same year, Toyota Financial Services in Europe and Africa was hit by the Medusa Ransomware group, leading to the exposure of sensitive financial data. Earlier, in 2019, attackers accessed up to 3.1 million records from Toyota and Lexus subsidiaries.

487GB Data from Kawasaki Motors Europe Leaked by RansomHub

Source

The motorcycle maker first disclosed the incident in early September, describing it as a cyberattack that was ultimately unsuccessful. At the time, KME said it had taken precautionary steps, including isolating servers and running a “cleansing process” to check for infections. The company reported that it had restored more than 90% of its server functionality and resumed normal operations with dealers, suppliers, and logistics partners.

However, behind the scenes, RansomHub had already listed Kawasaki on its Dark Web leak site, claiming to have stolen 487 gigabytes of sensitive data. The group threatened to release the files unless Kawasaki paid a ransom. When the company refused, the attackers followed through over the weekend and dumped the information online.

The leak represents a significant escalation from what the company initially described as a contained incident. It also highlights how ransomware groups are increasingly relying on data theft and extortion, even when they fail to disrupt a target’s systems.

Volkswagen Subsidiary Cariad Exposes Data of 800,000 Electric Vehicles

Source: Michael Probst/AP

Volkswagen’s software arm, Cariad, has come under fire after leaving terabytes of sensitive customer data exposed in the cloud. The exposed information could have revealed the precise movements of hundreds of thousands of drivers across Europe.

The issue came to light on November 26, 2024, when the Chaos Computer Club (CCC) notified the company that databases in Amazon Web Services (AWS) had been left unprotected. The exposed records included data from nearly 800,000 Volkswagen Group vehicles across several brands. The data contained geolocation records accurate to within a few centimeters.

The findings were particularly alarming because the exposed fleet included sensitive users. According to German outlet Spiegel, some cars belonged to Hamburg’s police department, and others were linked to suspected intelligence service employees. The Spiegel team was even able to tie vehicle data back to two German politicians by analyzing the leaked information with publicly available software.

The flaw was traced back to a memory dump from a Cariad application, which contained cloud access keys. These keys led researchers to the exposed storage instance holding vast amounts of driver and vehicle data. While Cariad says the information was pseudonymized, meaning direct identifiers were hidden, it was still possible to correlate datasets and link them back to individuals.

Cariad has emphasized that accessing the data required bypassing several security layers and combining datasets, suggesting that this was not an issue exploitable by “anyone with little technical knowledge,” as initial reports suggested. The company said it responded immediately after CCC’s disclosure, closing access the same day. CCC itself confirmed that Cariad’s technical team reacted “quickly, thoroughly and responsibly.” At this stage, Cariad says it has found no evidence that the exposed data was accessed or misused by anyone outside of the CCC researchers.

Hertz Data Breach Tied to Cleo Software Flaw

Source: Casey Brooke Lawson

According to a filing with the Maine Attorney General’s office, Hertz learned on February 10, 2025, that hackers had accessed personal data between October and December 2024. The breach impacted more than 3,400 Maine residents, though the total number of victims nationwide has not been disclosed.

The Clop ransomware gang has claimed responsibility for the broader campaign, which exploited critical vulnerabilities in Cleo Harmony, VLTrader, and Lexicon software. The flaws (CVE-2024-50623 and CVE-2024-55956) allowed attackers to upload files without restriction and execute arbitrary commands on targeted systems. Security researchers at Huntress also confirmed that Hertz was listed on Clop’s leak site, though it remains unclear whether a ransom demand was made.

Vulnerability info of CVE-2024-50623 (SOCRadar Vulnerability Intelligence)

Scania Hit by Cyberattack, Insurance Data Stolen and Put Up for Sale

Source: SOCRadar Dark Web News

Swedish truck and bus maker Scania has confirmed a cyberattack that saw hackers steal insurance claim documents from its financial services systems. The breach, which occurred on May 28–29, 2025, was carried out using credentials from an external IT partner that had been compromised by infostealer malware.

SOCRadar Identity & Access Intelligence Module

According to Scania, the attackers gained access to insurance.scania.com and downloaded sensitive claim-related files. Shortly after, Scania employees began receiving extortion emails from a ProtonMail address, with threats to leak the stolen material if demands were not met.

Threat monitoring platform Hackmanac later spotted a post on a Dark Web forum by a user known as “hensi,” offering the stolen data to a single buyer. Samples of the documents have since appeared online.

The stolen claim files likely include personal, financial, and potentially medical details, raising concerns for affected customers. Scania says it has secured the compromised system and is continuing to investigate.

147,000 Customers Affected in Singapore Dealer Data Breach

Cycle & Carriage – Source

Cycle & Carriage has suffered a data breach affecting its customer database, impacting approximately 147,000 records. The company, which represents brands including Mercedes-Benz, Mitsubishi, Kia, Citroën, and Peugeot, said it was alerted on July 14 to unauthorized access to its customer relationship management system.

Cycle & Carriage said that the threat actor managed to download some customer information, most of which was incomplete or partially missing. The records potentially included names, email addresses, and phone numbers, while around 2% of the affected records contained National Registration Identity Card (NRIC) numbers and deposit amounts. Importantly, no banking or credit card information was compromised.

Qilin Ransomware Gang Steals 4TB of Nissan Design Data

Dark Web Forum Post Related to Creative Box Inc. – Source: SOCRadar Dark Web News

One of Nissan Japan’s subsidiaries, Creative Box Inc. (CBI), suffered a significant data breach after unauthorized access to its servers. The incident follows claims by the Qilin Ransomware group that they had stolen four terabytes of data from the Tokyo-based design studio.

According to Nissan, a suspicious access was detected on the data server of Creative Box Inc. (CBI) on August 16, 2025. They immediately blocked access to the compromised server and reported the incident to authorities. CBI, a wholly owned Nissan subsidiary, was established as a “think tank” focused on experimental and concept vehicle designs.

Qilin claimed to have taken all design projects from CBI and threatened to release them, potentially giving competitors an advantage. As proof, the group published 16 images showing 3D car designs, spreadsheets, documents, and interior images.

Cyberattack Forces Jaguar Land Rover to Halt Shipments

Source: Reuters

The automaker Jaguar Land Rover (JLR), owned by India’s Tata Motors, confirmed that it was forced to shut down its IT systems after detecting a serious incident that has “severely disrupted” its retail and production operations.

JLR stressed there was no evidence that customer data had been compromised but admitted the disruption was significant in a statement. The breach comes amid a surge of sophisticated attacks targeting major UK brands.

Jaguar Land Rover’s factories in the UK and overseas remain at a standstill more than a week after the carmaker was hit by a major cyberattack. The disruption has forced JLR to halt production at its Halewood and Solihull plants, its Wolverhampton engine facility, as well as sites in Slovakia, China, and India. Staff on the production lines have been told to stay home until at least Wednesday.

The attack, which began on August 31, prompted JLR to shut down its IT systems to protect them from further damage. But the move has had wide-ranging consequences, not only halting assembly lines that normally turn out around 1,000 vehicles a day, but also affecting dealerships and garages, which initially struggled to register cars or order spare parts. Workarounds have since been introduced, but the impact on suppliers has been significant, with some sending their own employees home.

The cyberattack adds another layer of volatility to a company already navigating tariffs, weaker markets, and now, the growing threat of digital disruption.

Conclusion

The past year has made one thing clear: no corner of the automotive ecosystem is immune to cyber risk. Customer-facing firms like Avis and Cycle & Carriage Singapore showed how attackers can monetize personal data, while Hertz’s Cleo-related breach underscored how third-party software vulnerabilities ripple across industries.

On the manufacturing side, Kawasaki Motors Europe and Jaguar Land Rover faced operational disruption from ransomware and IT shutdowns, disrupting production and dealer networks.

Meanwhile, Volkswagen and its software arm Cariad were hit with massive data exposures, leaking 15 million driver records and terabytes of EV telematics. This reminds us that misconfigured cloud systems can be just as damaging as deliberate attacks.

Intellectual property also emerged as a target, with Nissan’s Creative Box Inc. losing 4TB of sensitive design files to the Qilin group, while Scania was extorted over stolen insurance claim documents.

Together, these incidents paint a picture of an industry under siege on multiple fronts: personal data theft, operational disruption, and the compromise of highly valuable R&D.

For automakers and their partners, cybersecurity is no longer just about protecting customer records, it’s about safeguarding the very blueprints of the cars and systems that will define the next generation of mobility.