GM Data Breach Exposes Car Owner Personal Information

The Lyon Firm is investigating the GM data breach on behalf of car owners across the country. Contact the firm if you have been sent notice.

General Motors has announced that customers were the subject of a cyberattack levied against the automaker in April 2022, according to a letter filed with the California Attorney General.

The breach was discovered after GM began investigating a number of  suspicious login attempts to customer accounts from April 11-29. The automaker confirmed around 140 breached accounts, in which the attackers redeemed reward points for gift cards.

GM says there is no evidence that the attack used credentials or a login vulnerability from its systems directly, and determined that the data breach stemmed from elsewhere on the internet. GM says that those responsible may have had access to the following personal information:

• First and last name
• Personal email address
• Home address
• Username
• Phone number
• Last known and saved favorite location
• OnStar package (if applicable)
• Family members’ avatars and photos
• Profile picture
• Search and destination information
• Reward card activity
• Fraudulently redeemed reward points

What is Credential Stuffing?

The GM data breach began with a type of attack called “credential stuffing.” This can occur when a bad actor uses credentials that have been previously dumped as the result of another breach and logs in to systems using these credentials.

Joe Lyon is a highly-rated data breach lawyer and Privacy Attorney representing plaintiffs nationwide in class action security breach lawsuits.