Ferrari ransom-driven data breach
Ferrari disclosed that a threat actor had breached its systems and demanded a ransom over stolen client contact data — names, addresses, emails and phone numbers — which the luxury carmaker refused to pay.
- Victim
- Ferrari
On 20 March 2023, the Italian luxury sports-car manufacturer Ferrari disclosed that it had been contacted by a threat actor demanding a ransom in connection with certain client contact data that had been compromised. Rather than quietly negotiate, Ferrari publicly confirmed the incident and notified affected customers, stating as a matter of policy that it would not be held to ransom.
What happened
Ferrari said it was contacted by a threat actor with a ransom demand related to specific client contact details. Upon receiving the demand, the company immediately opened an investigation with the support of a third-party cybersecurity firm and informed the relevant authorities.
Ferrari was explicit about its stance: "As a policy, Ferrari will not be held to ransom, as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks." The company chose to disclose the incident to clients and describe the nature of the exposure as the most transparent course of action.
Impact
- Exposed data was limited to client contact information: names, addresses, email addresses and telephone numbers.
- Ferrari stated it found no evidence that payment details, bank account numbers, or other sensitive payment information had been accessed or stolen.
- There was no impact on Ferrari's operational systems or vehicle production; this was a confidentiality breach, not a disruptive ransomware encryption event.
- A listing later associated with the RansomEXX group claimed roughly 7 GB of Ferrari data including internal documents and repair manuals, though Ferrari's official disclosure focused on the client-contact exposure, and the carmaker had separately denied an earlier, unrelated RansomEXX claim in October 2022.
Why it matters
The Ferrari case is notable less for the volume of data — which was modest — than for the quality of the victims and the company's handling. A breached database of Ferrari clients is, in effect, a curated list of ultra-high-net-worth individuals, making it exceptionally valuable for targeted phishing, social engineering, and physical-security risk. Ferrari's response — refusing the ransom, disclosing promptly, and notifying customers directly — became a widely cited example of the "do not pay, do disclose" posture that regulators and law-enforcement agencies increasingly advocate. It illustrates how, for prestige brands, the reputational management of a breach can matter as much as its technical scope.
Timeline
Ferrari is contacted by a threat actor with a ransom demand related to certain client contact details.
Ferrari launches an investigation with a third-party cybersecurity firm and informs the relevant authorities.
Ferrari publicly discloses the incident and notifies affected clients, stating it will not pay the ransom.
Media report that exposed data includes names, addresses, email addresses and phone numbers, but no payment data.
Sources
- ferrari.comhttps://www.ferrari.com/en-EN/corporate/articles/cyber-incident-in-ferrari
- techcrunch.comhttps://techcrunch.com/2023/03/21/ferrari-says-ransomware-attack-exposed-customers-personal-data/
- securityweek.comhttps://www.securityweek.com/ferrari-says-ransomware-attack-exposed-customer-data/
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2023/03/21/ferrari-data-breach-client-data-exposed/
- bloomberg.comhttps://www.bloomberg.com/news/articles/2023-03-20/ferrari-says-ransomware-attack-exposed-clients-names-email