BMW says Play ransomware attack only hit local dealership in France

BMW is downplaying a ransomware attack claimed this week by criminal hackers, saying that it only affected a local dealership in France.

The Play ransomware group — which has drawn headlines for damaging attacks on the cities of Oakland and Antwerp in recent months — claimed it attacked “BMW France” on its leak site on Tuesday.

BMW France posted by Play Ransomware.

/bmw.fr @BMW @ValeryMarchive @S0ufi4n3 pic.twitter.com/7EbbRGanqL

— Dominic Alvieri (@AlvieriD) March 29, 2023

But in a statement to Recorded Future News, a BMW Group spokesperson said there was no evidence as of yet that the attack had penetrated the company at large.

“BMW Group experts are continuously monitoring the situation and have not identified any intrusion within BMW Group or BMW France systems,” the spokesperson said.

“They were able to locate the breach on the computer systems of a local dealer, which is an independent legal entity of BMW France. We will accompany and support the dealer and its team throughout the upcoming steps.”

In January, the Play group took credit for an attack on Arnold Clark, one of the United Kingdom’s largest car dealerships. When the car dealership refused to pay a ransom, the gang leaked National Insurance numbers (the equivalent of Social Security numbers in the U.S.) and passport data, alongside addresses and phone numbers.

It also published bank statements and car finance documents for customers of the Glasgow-based business.

In February 2022, ransomware actors from the now-defunct Hive group also attacked Emil Frey, one of Europe's biggest car dealers.

The Play ransomware group first emerged in July 2022 targeting government entities in Latin America, according to Trend Micro.