The Target: AutoZone is the leading retailer and distributor of automotive spare parts and accessories in the U.S., operating 7,140 shops in the country and also in Brazil, Mexico, and Puerto Rico.
The Take: The data leaked by the cybercriminals is roughly 1.1GB in size, containing employee names, email addresses, parts supply details, tax information, payroll documents, Oracle database files, data about stores, production and sales information, and more. No customer data appears in the leaked files.
The Vector: AutoZone became aware that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain data from an AutoZone system that supports the MOVEit application. More specifically, on or about August 15, 2023, AutoZone determined that the exploitation of the vulnerability in the MOVEit application had resulted in the exfiltration of certain data.
This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.