According to a letter and statement sent out by Ford Motor Credit, someone collected private information, including the work and home addresses, social security numbers, account numbers and credit history of 13,000 people, mostly from affluent neighbourhoods around the country. Most of the people were not Ford customers.
Ford spokesman Dan Jarvis said the company became aware of the breach in March when it was contacted by Experian, a subsidiary of GUS plc.
Experian customers had complained that Ford had conducted credit checks on them even though they had had no contact with the company.
Jarvis said the fraudulent credit checks were distinguished from the legitimate Ford checks because the software the fraudster used was different from Ford's. It is unclear if the hacker broke into Ford's system, and the company refuses to say how it believes the breach occurred, Jarvis said.
Experian spokesman Don Girard said he is still not sure that a hacker was responsible for the breach.
"One scenario could be that an access code was pilfered within Ford," Girard said. Experian gives large companies access codes with which they can gather credit information on potential customers.
Girard said no matter how the intruder got the information, Experian will press for prosecution to the fullest extent of the law.
Chris Hoofnagle, legislative counsel for the Washington-based Electronic Privacy Information Center (EPIC), said he wasn't surprised at the ease with which someone made off with the information.
"There is not a lot of market incentive, aside from lawsuits, for the credit agencies to be more responsible," Hoofnagle said. He said credit-reporting agencies have "poor business practices" and don't place thorough safeguards on consumers' private information. He said the agencies should require greater authentication before sending out such information.