CA: Threat actors dump tens of thousands of driver’s license images and several thousand credit reports for customers of Walter’s Automotive Group

Credit reports for a few thousand customers of Audi Ontario and Porsche Ontario dealerships were dumped by ransomware threat actors who claim they locked Walter’s Automotive Group and exfiltrated data, but Walter’s would not respond to them. More than 22,000 driver’s license images were also in the data dump. 

If you bought an Audi or a Porsche from Audi Ontario or Porsche Ontario in California — or didn’t buy one but had just applied for credit for one of the two dealerships — your personal details and credit report may now be freely available on the dark web.

Threat actors known as Vice Society recently claimed to have locked and exfiltrated data from Walter’s Automotive Group. Walter’s owns Audio Ontario and Porsche Ontario, as well as  Porsche Riverside, Walter’s Mercedes-Benz, Walter’s Audi, and Walter’s Sprinter.

According to a Vice Society spokesperson’s statement to DataBreaches.net, Walter’s did not respond to their contact to initiate a ransom demand.  As a result, Vice Society dumped the data that they had exfiltrated during the attack.

In one folder alone, DataBreaches.net found more than 21,000 images of driver’s licenses.  The image files were date-stamped between  May of 2018 and May of 2021.  Another folder contained almost 4,400 files related to customer credit applications for customers of Audi Ontario. These did not all represent unique customers, as for each customer, there was often two or three files. The date stamps on these were between January 2017 and June, 2021. The applications and completed reports contain the applicant’s name, date of birth, current address, SSN, phone number, email address, current and past employers, past addresses, salary information, and credit history including FICO score, loan balances, etc.

Another folder under Audi Ontario contained almost 200 driver’s license images.

Credit applications for some Porsche Ontario customers or potential customers were also found in the dump. There were more than 1,000 files, but again, that is not the number of unique customers. Most of the credit report applications and reports are within the last year.  There was also a file with more than 1,000 driver’s license images.

Neither Audi Ontario, Porsche Ontario, or Walter’s Automotive Group replied to multiple inquiries sent to them this past weekend via web site contact forms as well as email to the automotive group’s IT department.

DataBreaches.net sent email inquiries tonight to a few recent customers of Audi Ontario. One already replied, and informed this site that he has not been notified by Walter’s or the dealership of any data theft or incident. If the dealerships or Walter’s responds to this site’s inquiries, this post will be updated.


Update: Post-publication, DataBreaches.net learned that what sounds like these data had been put up for sale on a popular forum at around the same time the data were listed on Vice Society’s site.  See Ax Sharma’s report here. His report raises the question as to whether the victim of this breach might have been eLend — and not Walter’s Automotive Group, as this site reported.  Other folders and files in the Vice Society data dump contain what appears to be employee information on Walter’s employees and spread sheets created by Wayne Fitkin, Walter’s Automotive Group’s IT Director.

Update 2: An Audi Ontario customer that I contacted last night got back to me now and reported that he had spoken with the dealership. He writes, in part:

They are aware of this and have been working with FBI and cyber authorities. They said they have no idea what data has been compromised or by who. But that they will “send a letter” once known.

They have no idea what data has been compromised?  Surely the FBI and/or the “cyber authorities” they are working with would have spotted it or known where to look for it. The dealership or its consultants could have downloaded a full copy of it last week.

Yet they tell a victim today that they have no idea what has been compromised?

About the author: Dissent

Leave a Reply

Your email address will not be published.Email address is required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.