On July 5, 2024, Carvana Co. discovered suspicious activity involving its customers’ accounts. The investigation revealed that an unauthorized party had accessed personal information by obtaining credentials from a third-party source, possibly from another company where the same username and password were used. In response, Carvana quickly reset the passwords for affected users and confirmed that the compromised credentials were not obtained from Carvana’s systems. Further investigation uncovered that, on July 23, 2024, these credentials may have been used to access a credit status system containing personal data, prompting Carvana to disable the unauthorized access immediately.
Carvana engaged a forensic security provider to assess the situation and confirmed that personal information, including dates of birth, addresses, phone numbers, and email addresses, may have been accessed by the unauthorized party. Carvana emphasized that no Social Security numbers were compromised in this incident. The company also reported the breach to law enforcement, cooperating with ongoing investigations to understand the full scope of the breach.
To address the situation and protect affected individuals, Carvana has taken multiple actions. The company strengthened its security measures, terminated unauthorized access, and worked with cybersecurity experts to confirm the nature of the breach. In addition, Carvana is offering identity protection services through IDX, a ZeroFox company. These services include 24 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and identity theft recovery services to help those affected by the breach.
Carvana has urged affected individuals to enroll in these free identity protection services and provided an enrollment code for access. Individuals can contact IDX for assistance and must do so before the enrollment deadline of December 12, 2024. Carvana also recommends that individuals remain vigilant by reviewing account statements for unusual activity and following recommended steps to protect their personal information.
Reference:
