This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Eagers Automotive

Summary

Eagers Automotive, Australia's largest operator of car dealerships, suffered a LockBit 3.0 ransomware attack that forced the company to halt ASX trading on December 27, 2023. The incident disrupted operations across over 300 dealership locations in Australia and New Zealand, impacting vehicle sales and service operations. LockBit set a ransom deadline of January 19, 2024, though the company did not confirm paying and the ransomware gang later removed the listing.

What Happened

Eagers Automotive detected unauthorized access to portions of its IT systems in late December 2023, prompting an immediate trading halt on the Australian Securities Exchange on December 27, 2023. The company publicly disclosed the cyber incident on December 28, 2023, announcing that a third party had gained unauthorized access to some data from servers.

On December 30, 2023, the LockBit 3.0 ransomware group claimed responsibility for the attack on their leak site, setting a ransom payment deadline of January 19, 2024. The attackers threatened to publish stolen data if the ransom was not paid. LockBit later posted an updated deadline in January 2024 before eventually removing any mention of Eagers from their site, suggesting either payment, negotiation, or abandonment of the extortion attempt.

The attack disrupted critical business operations across Eagers' network of over 300 dealerships representing major automotive brands including Toyota, BMW, Nissan, Mercedes-Benz, Audi, Ford, Volkswagen, and Honda. The incident primarily impacted the company's ability to finalize new vehicle transactions that were already sold and ready for delivery, as well as affecting service and parts operations to a lesser extent.

Impact on Individuals

Eagers Automotive confirmed that a "small number of individuals" had their personal information accessed and began notifying affected parties. While the company did not disclose the total number of affected individuals or the specific types of data compromised, typical automotive dealership data includes:

  • Customer contact information (names, addresses, phone numbers, emails)
  • Vehicle purchase and service history
  • Driver's license details (required for test drives and purchases)
  • Financial information related to vehicle financing
  • Trade-in vehicle details
  • Insurance information

The breach affected both customers and potentially employees across Eagers' extensive dealership network spanning Australia and New Zealand. As the largest automotive retail group in the region, the scope of stored customer data was substantial, covering years of vehicle sales and service transactions.

The operational disruption also impacted customers waiting to take delivery of purchased vehicles, creating delays and uncertainty during the incident response and system restoration period.

Organisational Response

Eagers Automotive took immediate action by requesting an ASX trading halt to manage the incident and inform shareholders. The company engaged external cybersecurity specialists to investigate the breach, secure systems, and determine the extent of data access.

The company worked systematically to restore operations across its dealership network while maintaining security protocols. Eagers prioritized notifying affected individuals whose data was accessed, though they characterized this group as "a small number" relative to the company's overall customer base.

The ASX-listed company's transparent handling of the incident, including the trading halt and public disclosure, demonstrated compliance with continuous disclosure obligations and prioritization of stakeholder communication. However, the company did not confirm whether the LockBit ransomware gang's claims about the attack specifics or whether any ransom was paid.

The eventual removal of Eagers from LockBit's leak site suggested some form of resolution, though the company did not publicly comment on the outcome of negotiations or whether stolen data was published. The incident highlighted the vulnerability of large retail operations with extensive IT infrastructure connecting hundreds of locations and managing sensitive customer financial and personal information.

[extra.impact] affected_individuals = 0 individuals_note = "" data_volume_gb = 0 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++

Verification Source: View original statement