Hackers Breached Some GM Customer Accounts

(RTTNews) - General Motors Co. (GM) suffered a cyberattack last month that resulted in the exposure of customer information and allowed hackers to redeem gift card reward points. It was unclear how many accounts were affected.

The Detroit-based automaker revealed details of the incident in a breach disclosure filed with the California Attorney General's Office on May 16.

According to the data breach disclosure, malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and April 29. The company identified recent redemption of customer reward points for gift cards that may have been performed without the customers' authorizations.

There is no evidence that the login information was obtained from GM itself. The company believes that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer's GM account, the company said in the filling.

The company disclosed in the filling that the unauthorized parties could have gained access to limited personal information of GM online or mobile application accounts, such as first and last name, personal email address, personal address, username and phone number for registered family members tied to customer's account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points.

The stolen information did not include date of birth, Social Security number, driver's license number, credit card information, or bank account information, as that information is not stored in GM account, the company said.

General Motors disclosed in the filling that it took swift action in response to the suspicious activity by suspending gift card redemption and notifying affected customers of those issues. The company also took steps to require those customers to reset their passwords at their next log in, and it reported this incident to law enforcement.

The company recommended, as good security practices, that customers not use the same password for different accounts, and that they update any use of duplicate passwords.