Auto parts giant AutoZone warns of MOVEit data breach

AutoZone is warning tens of thousands of its customers that it suffered a data breach as part of the Clop MOVEit file transfer attacks.

AutoZone is the leading retailer and distributor of automotive spare parts and accessories in the U.S., operating 7,140 shops in the country and also in Brazil, Mexico, and Puerto Rico.

The company has an annual revenue of nearly $17.5 billion, employs 119,000 people, and its online shop is visited by 35 million users per month, according to similarweb.com stats.

Earlier this year, the Clop ransomware gang exploited a zero-day MoveIT vulnerability to breach thousands of organizations worldwide, following up with double extortion and data leaks impacting millions of people.

AutoZone informed the U.S. authorities today that it suffered a data breach as part of these attacks on May 28, 2023, resulting in the compromise of data of 184,995 people.

"AutoZone became aware that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain data from an AutoZone system that supports the MOVEit application," reads the notification.

"We have performed an analysis of the affected system and associated data to determine whether your information was potentially impacted."

"More specifically, on or about August 15, 2023, AutoZone determined that the exploitation of the vulnerability in the MOVEit application had resulted in the exfiltration of certain data."

It took the company three more months to determine what data the intruders had stolen from its systems and who had been impacted and needed to be notified.

The letter sample AutoZone shared with the authorities censored details on what type of data was compromised. Still, the listing on the Office of the Maine Attorney General mentions "full names" and "social security numbers."

The firm has covered the cost of identity theft protection service for the letter recipients and advises them to remain vigilant for the next 24 months, reporting any suspicious incidents to the authorities.

The Clop ransomware gang took responsibility for an attack on AutoZone earlier this year and published all data they claimed to have stolen from the firm on July 7, 2023.

The data leaked by the cybercriminals is roughly 1.1GB in size, containing employee names, email addresses, parts supply details, tax information, payroll documents, Oracle database files, data about stores, production and sales information, and more. No customer data appears in the leaked files.

The Clop ransomware gang is expected to receive over $75 million in extortion payments from companies impacted by the MOVEit data theft attacks. In July, Emsisoft reported that over 77 million people had their data exposed. 

BleepingComputer has contacted AutoZone to request more information about the incident and whether the leaked dataset is genuine, and we will update this post as soon as we receive a response.