Ferrari rejects ransom demand after cyber attack

Italian carmaker Ferrari says it will refuse to pay a ransom after an unspecified threat actor broke into its IT systems and stole customer data

Supercar manufacturer Ferrari has warned customers that their personal data may be at risk after a limited number of its IT systems were compromised and information exfiltrated by an as-yet unspecified threat actor.

The Maranello, Italy-based firm reached out to those involved on Monday 20 March. In a letter to customers – a verified copy of which has been seen by Computer Weekly – chief executive Benedetto Vigna said the exposed data included names, addresses, email addresses and telephone numbers.

Vigna reassured customers that based on the current state of the investigation, the organisation was confident that no customer financial data, nor data on any of their vehicles, had been compromised.

In a public statement, a Ferrari spokesperson said the organisation had been contacted by the threat actor with a ransom demand related to “certain client contact details”. The organisation did not identify the threat actor involved.

“Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cyber security firm. In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law,” said the spokesperson.

“As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.

“Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.”

The organisation said it took the confidentiality of its clients – many of whom are among the wealthiest individuals in the world – very seriously, and would be working with security experts to reinforce its systems.

“Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks”
Ferrari spokesperson

It added that the incident has had no impact on day-to-day operations. Nor does it appear to have affected the running of its Formula One championship team, which, having had a poor start to its 2023 season, is currently languishing in the constructors’ standings.

The F1 team partners with multiple tech firms, including Amazon Web Services, HCL Software and Palantir Technologies. Its current cyber security partner is Bitdefender, and it has historically had a strong relationship with Kaspersky.

At the time of writing, no known ransomware operator or affiliate had claimed responsibility for the incident.

Rob Bolton, vice-president of EMEA at secure access service edge (SASE) specialist Versa Networks, said that so far, Ferrari was hitting all the right buttons when it came to incident response best practice.

“First of all, it should be praised that Ferrari have come out and confirmed they will not pay any ransom demand. It is essential that organisations in similar situations do the same,” said Bolton.

“Paying ransom demands is no guarantee that stolen data will be returned, and it will only help fund future ransomware activity.”

However, he said, even having rejected the extortion attempt, Ferrari customers will be concerned over who may be in possession of their data, and what they may do with it.

“Stolen data usually ends up being sold on the dark web and can be used to commit further crimes such as identity theft and fraud,” he said.

Read more about ransomware

Read more on Data breach incident management and recovery

Data Center
Data Management