Cl0p, a ransomware hacker gang, breached AutoZone’s data stores back in May, according to a breach notification filed with the Office of the Maine Attorney General on Tuesday. The data included full names and social security numbers of as many as 184,995 people in the company’s massive system. The hackers exploited a vulnerability in file transfer tool MOVEit to gain access to over 2,000 organizations and their customer data, including British Airways, the New York City public school system, the state of Maine, and the Louisiana DMV.
This wide-ranging attack has been among the largest and most expensive to track in the history of the internet. Researchers claim at least 62 million people have had their data breached, and the total cost of the attack is going to end up somewhere in excess of 12 billion dollars.
AutoZone notified the Maine Attourney General on Tuesday, though the attack had occurred six months prior. AutoZone needed to investigate the scope of the attack and conduct forensics on its internal data. The company believes it has located and patched the vulnerabilities in its system, locking the hackers out before reporting the hack has been discovered.
Cl0p claimed responsibility for the AutoZone hack back in July, publishing 1.1 gigabytes worth of the data from the auto parts retailer online as proof.
“AutoZone became aware that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain data from an AutoZone system that supports the MOVEit application,” AutoZone told its customers in a notification message.
AutoZone has offered one year of free credit monitoring software to its affected customers. The company brings in about $17.5 billion in revenue annually, operating over 7,000 retail locations in the U.S., Mexico, Puerto Rico, Brazil, and the U.S. Virgin Islands.