Stellantis info hacked

[MT1]

My cell phone carrier was hacked and my data was stolen (T-Mobile). My bank was hacked and data stolen. My DMV was hacked and my data stolen. Every big corporation I have done business with seems to have already been hacked and "offered free credit monitoring." This whole system is a scam.

Companies buy insurance to protect against loss during a breach. The security audits are focused on showing the insurer that best practices were used. I know of exactly one person working in IT Sec that asked the users what devices should have internet access. The other devices were excluded from the WAN with internet access. That was very fortunate for the company, keeping the breach quiet, as the customer facing devices stayed up, while every other device became useless.

Sponsored

 

[Aj58]

It's too late for this one, but the following opt-out instructions can prevent future (FCA) 3rd-party data breaches. Prevention is within an FCA/Jeep customer's control.

See the section on opt-out:
https://www.jeepgladiatorforum.com/...nance-summary-on-local-pc.87775/#post-1601921

The is is not necessarily the same. Opt out is typically for who Stellantis shares your data with or sells it to. It may help limit your footprint but it wouldn’t have stopped this one.

Once you make a purchase, Stellantis has your data. It’s just whether or not they can share it with 3rd parties or sell it. Stellantis didn’t sell this or share this with Sales force, they just used salesforce as an internal tool.

 

[ShadowsPapa]

Only when they are legally required to disclose the breach. And the release will likely be only to the people whose data was compromised. But hey, you might get two years of "free" identity theft coverage. I use "free" since you have to share with the monitoring company the data to be monitored, like provide them with your SSN so they can check for your SSN on the various brokerage sites.

Really funny when the credit bureau tracking all of your credit histories gets hacked. You gotta be kidding me! Nope, it happened.
The issue isn't so much the security such as firewalls, routers, switches and so on, it's the PEOPLE who open emails, bring things in from home, respond to phishing emails...............
Or in the case of PFG, it was the web team refusing to update/patch the web servers, in another case, a company officer opened an email they should not have..

 

[ShadowsPapa]

The is is not necessarily the same. Opt out is typically for who Stellantis shares your data with or sells it to. It may help limit your footprint but it wouldn’t have stopped this one.

Once you make a purchase, Stellantis has your data. It’s just whether or not they can share it with 3rd parties or sell it. Stellantis didn’t sell this or share this with Sales force, they just used salesforce as an internal tool.

And it's those tools that have weaknesses that cause many of the issues. Think back to the software many government agencies used - including where I used to work, to do network/server monitoring and reporting. It had some "holes" in it...........
It's when you trust 3rd party apps on your stuff that you open things up, no matter how good your firewalls are. Or in the cases I've seen, 3 days after TRAINING on network security, not to open or respond to certain things, that an employee of the financial department opened and responded to a phishing email - and put in the information asked for. Luckily by that time, we had software that detected such attacks, it was ultimately blocked.

 

[Aj58]

Equifax, nothing to see here. We ain’t gonna patch that lol.

Funny thing with this is the group that started with Sim swapping at T-Mobile evolved into this group or a subset of it that did this.

and your right, they don’t necessarily hack like most people think. They just call the help desk up, ask them to reset their password and then login.

Or in this case, ask them to “upgrade” the salesforce connector, which is actually malicious.

Yep, back to people being the weakest link.

 

[g2020]

The is is not necessarily the same. Opt out is typically for who Stellantis shares your data with or sells it to. It may help limit your footprint but it wouldn’t have stopped this one.

Once you make a purchase, Stellantis has your data. It’s just whether or not they can share it with 3rd parties or sell it. Stellantis didn’t sell this or share this with Sales force, they just used salesforce as an internal tool.

Although this would not have prevented the recent data breach (technical details withheld), FCA should be using system flags to limit information that is transferred from FCA to third parties.

- Opt Out of Sharing = opt out of data sharing, and includes third-party data sharing
- All pessimism aside, Stellantis/FCA/Jeep/MOPAR and Salesforce are required to honor customer opt-out requests by law

Completing the opt-out steps sooner is better:

1. Set up an account on mopar.com before you buy a Jeep/FCA vehicle
2. In both opt-out sections, submit one opt-out request for each email address (email address is generally used as the unique identifier for you)
   1. For best results, use the same email address for all interactions with Jeep
3. As soon as you buy your vehicle, link the VIN on mopar.com

Here is the key part of Privacy Choices (2nd of 2 steps) in my original reply:

- Click Manage Your Privacy Choices at bottom of page on mopar.com
- This will bring you to the FCA US LLC Privacy Portal
- Complete the web form to submit a request to FCA US LLC
- Click each of the three (3) buttons so that each one turns BLUE
- Complete the remaining steps in this process

Also see:

In-dash advertisement opt-out
OP: @Sweetums
- Opt Out of In-Vehicle Message (IVM) technology
- Permanently end pop-up advertisements on Uconnect touchscreen display / infotainment system

 

[Aj58]

FCA US LLC and, especially, Salesforce Inc should be using system flags to limit information that is transferred from FCA to Salesforce. I will spare you the details on how its done, but anyone who works with this data is, or should be, aware of the rules/laws/policies regarding opt-out. P.S. - I did this stuff for a big IT company.

- Opt Out of Sharing = opt out of data sharing, and includes third-party data sharing
- All pessimism aside, Stellantis/FCA/Jeep/MOPAR and Salesforce are required to honor customer opt-out requests by law

Here is the key part of Privacy Choices (2nd of 2 steps) in my original reply:

- Click Manage Your Privacy Choices at bottom of page after logging into mopar.com
- This will bring you to the FCA US LLC Privacy Portal
- Complete the web form to submit a request to FCA US LLC
- Click each of the three (3) buttons so that each one turns BLUE

I’m familiar with data management as well. Salesforce is a CRM that stores customer data. Salesforce does not inherently have access to this data. In data privacy this isn’t considered sharing because Salesforce is not using the data for their own personal business. This data is the property of FCA, just stored in Salesforces infrastructure. The only time Salesforce may get access to it is during a support issue initiated by FCA. Even in this case, a FCA employee with proper permissions would have to allow salesforce support staff to login. And even then they are not allowed to use the data for reasons outside of troubleshooting the problem that was brought up. Specifically to GDPR Salesforce is a processor, not 3rd party.

For simplicity sake, When you opt out, all it does is set a Boolean value to true or false. This ties to all of your data stored in Salesforce. When FCA decides to sell the data they have collected they simply filter on who is opted in vs who is opted out. Your data will continue to reside in Salesforce, either way. It will just not be sold, shared with 3rd parties or used to profile you if you choose to opt out.

 

[g2020]

I’m familiar with data management as well. Salesforce is a CRM that stores customer data. Salesforce does not inherently have access to this data. In data privacy this isn’t considered sharing because Salesforce is not using the data for their own personal business. This data is the property of FCA, just stored in Salesforces infrastructure. The only time Salesforce may get access to it is during a support issue initiated by FCA. Even in this case, a FCA employee with proper permissions would have to allow salesforce support staff to login. And even then they are not allowed to use the data for reasons outside of troubleshooting the problem that was brought up.

For simplicity sake, When you opt out, all it does is set a Boolean value to true or false. This ties to all of your data stored in Salesforce. When FCA decides to sell the data they have collected they simply filter on who is opted in vs who is opted out. Your data will continue to reside in Salesforce, either way. It will just not be sold, shared with 3rd parties or used to profile you if you choose to opt out.

Duly noted. I still think that it is better to opt out because it reduces the risk associated with sharing data with other third parties.

I will go back through my recent posts to make sure that folks don't think that this will resolve the issue related specifically to Salesforce.

 

[Aj58]

Duly corrected. I still think that it is better to opt out because it reduces the risk associated with sharing with other third parties.

I will go back through my recent posts to make sure that folks don't think that this will solve the issue related specifically to Salesforce.

agree with you to opt out wherever you can. The less data shared the less data leaked.

 

[MT1]

Duly corrected. I still think that it is better to opt out because it reduces the risk associated with sharing with other third parties.

I will go back through my recent posts to make sure that folks don't think that this will solve the issue related specifically to Salesforce.

Unless there is a benefit to me, I opt out of everything.

 

[ShadowsPapa]

I’m familiar with data management as well. Salesforce is a CRM that stores customer data. Salesforce does not inherently have access to this data. In data privacy this isn’t considered sharing because Salesforce is not using the data for their own personal business. This data is the property of FCA, just stored in Salesforces infrastructure. The only time Salesforce may get access to it is during a support issue initiated by FCA. Even in this case, a FCA employee with proper permissions would have to allow salesforce support staff to login. And even then they are not allowed to use the data for reasons outside of troubleshooting the problem that was brought up. Specifically to GDPR Salesforce is a processor, not 3rd party.

For simplicity sake, When you opt out, all it does is set a Boolean value to true or false. This ties to all of your data stored in Salesforce. When FCA decides to sell the data they have collected they simply filter on who is opted in vs who is opted out. Your data will continue to reside in Salesforce, either way. It will just not be sold, shared with 3rd parties or used to profile you if you choose to opt out.

EXACTLY.

When support was needed where I worked, I was the one responsible for setting up a temporary login that expired and - I monitored what was happening. If server access was required, I was on the remote session myself, Once they were done, the credentials were totally removed from the system, not just disabled.

And like you said - the info is there, regardless. It's just a matter of the query including something like "opt out != true" (just for simple and kicks)

I wonder who here has Fakebook accounts, Instacrap, Tiktok and so on? Yeah..........

 

[g2020]

EXACTLY.

When support was needed where I worked, I was the one responsible for setting up a temporary login that expired and - I monitored what was happening. If server access was required, I was on the remote session myself, Once they were done, the credentials were totally removed from the system, not just disabled.

And like you said - the info is there, regardless. It's just a matter of the query including something like "opt out != true" (just for simple and kicks)

I wonder who here has Fakebook accounts, Instacrap, Tiktok and so on? Yeah..........

I was tempted to argue whether Salesforce was off the hook, but that would have taken this thread off the rails. At the least, they are a party to this data breach. However, data ownership, possession, permission, location, etc... are so complex that it is best to keep it simple and call this one a Stellantis breach.

On a related note, hosting data with a third-party cloud service provider in a country with laws favorable to the company is part of data management strategy. Our data is everywhere.

 

[ShadowsPapa]

On a related note, hosting data with a third-party cloud service provider in a country with laws favorable to the company is part of data management strategy. Our data is everywhere.

Oh, man - understatement of the week.

It's a salesforce hack. Stellantis just happened to be their customer.
The product, the code, is where the problem lies, not with Stellantis itself.
We can go back a few years to other breaches - of government - where a PRODUCT was compromised. The issue was the product being used.

You can have things set up very well, but if the traffic in and out is seen as legit due to the communication being to and from a legit app - there's little you could do about it.
Salesforce is ultimately responsible.
the code allowed it.
there have been others.

This statement here, from the article you linked, shows it was a product issue, not a Stellantis issue
>> part of a recent wave of Salesforce data breaches <<

 

[Aj58]

I would argue this is more a SalesLoft Drift issue. This 3rd party app was the weak link which allowed the O-auth tokens to be exposed. They specifically did not secure their token handling. Once the hackers had access to the tokens, they simply just logged in using legitimate tokens.

Sponsored