Ferrari, the world-famous makers of elite sports cars, just suffered a significant data breach caused by ransomware.
The news emerged in an apologetic letter sent in English to customers on March 20:
“We regret to inform you of a cyber incident at Ferrari where a threat actor was able to access a limited number of systems in our IT environment,” the letter began.
The letter went on to tell customers that the personal data of an unspecified number of customers was stolen during this incident, including names, email addresses, and telephone numbers. Then we get to the important bit:
“We were recently contacted by a threat actor with a ransom demand related to such customer data.”
So, this was a ransomware attack and not simply a more general breach of data.
The letter goes on to explain that Ferrari had begun an investigation into whether the data was genuine through a third-party forensics company. An official announcement made on the company’s website on the same day added the following remark:
“As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.”
We could end the story at this point if it weren’t for the fact that Ferrari suffered a previous, more mysterious data breach reported in the Italian press in October 2022.
Reportedly the work of a group called RansomEXX, 7GB of data said to be from the company was alleged to have been leaked to the dark web, comprising repair manuals, spreadsheets, and other unspecified documents.
Ferrari later denied it had been targeted by ransomware in the earlier attack, telling a news site:
“Ferrari has no evidence of a breach of its systems or ransomware and informs there has been no disruption to our business and operations. The Company is working to identify the source of the event and will implement all the appropriate actions as needed.”
Notice, however, that Ferrari doesn’t seem to deny that something happened, but what?
The first possibility is that Ferrari was unfortunate and suffered two separate attacks. That would be embarrassing if it is the case. The second possibility is that the two attacks were somehow connected. Given that it downplayed the earlier attack, that would be embarrassing in a different way.
Was the earlier attack even ransomware? Technically, a ransomware attack requires a ransom note, which Ferrari doesn’t mention. Attackers have also been known to exaggerate their success to gain notoriety.
This is all speculation, of course—but that’s the point. When these attacks come to light, there is often so little information it’s impossible to come to a clear understanding of what happened.
It doesn’t help that customers aren’t told about many attacks until some weeks or months after the event. Into this vacuum, the attackers are free to spin whatever yarn they want, feeding even more fear into the system.
If ransomware can’t get to your data, it can soften you up with the terror of that happening in the future. These incidents are always bad news for the victims. Too often they end up being a great advertisement for the prowess of the ransomware groups, too.