Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Leaked documents suggest safety violations as German car-maker points to data breach at US third-party provider.
Luxury car manufacturer BMW has confirmed the details of a cyber incident impacting one of its American third-party service providers.
The Everest ransomware group claimed to have gained access to “critical BMW audit documents” in a leak post dated September 14, and BMW has now said it was an incident involving its supply chain.
“There has been a data breach at a third-party service provider in the US. The incident relates to internal quality management documents,” a BMW spokesperson told Cyber Daily.
“As a precaution, access to affected accounts has been blocked and extensive security checks have been carried out. At this stage, there is no evidence of compromise within BMW infrastructure.
“We take the protection of data and the security of our systems extremely seriously. We are working closely with our partners (and the authorities) to thoroughly investigate the incident and ensure the highest level of data protection.”
However, since the ransomware actor posted its initial claims, more details of the incident have come to light.
Everest has now shared several documents that suggest the third party in question is change2target, a supplier management firm that assists BMW in auditing its production processes. The documents include safety audit documents that name BMW staff and alleged issues with industrial practices.
“We have in our possession BMW documents and correspondence from 2021 - 2025: reports, logs, emails,” Everest said.
“They clearly show that violations dragged on for years and were closed only on paper, without being resolved.”
As of writing, Everest has said “We'll wait for company representatives for a few hours, and if no one arrives, we'll publish the first part of the data”.
Cyber Daily has confirmed that the documents leaked so far appear legitimate, and the correspondence features names and email addresses of both BMW and change2target staff.
change2target describes itself as a hybrid consulting firm working in the automotive, chemical, pharmaceutical, and energy sectors, and has offices in Munich, New York, Greenville, San Luis Potosi, Mumbai, and Shanghai.
“We are experts in Supplier Management. Our activities range from Operational Excellence programs to increase performance, product and delivery quality to transparent risk management along the supply chain,” the company says on its website.
“With change2target AI, we support companies in the AI-based automation of administrative processes.”
Cyber Daily has reached out to both BMW and change2target for further comment.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
