Edmunds.com, a leading automotive information platform acquired by CarMax in 2021, experienced a data breach on August 19, 2025, due to unauthorized access to a vendor-operated messaging system used by car dealers and customers. The breach exposed highly sensitive personally identifiable information (PII), including names, Social Security numbers, credit card details, and driver’s license information of affected individuals. While no immediate misuse was confirmed, the exposure of such data poses severe risks of identity theft, financial fraud, and long-term reputational harm to victims. Edmunds offered 24-month credit monitoring and identity protection services via IDX, but the incident has prompted a class-action lawsuit investigation by Shamis & Gentile P.A., as victims may be entitled to compensation for damages, lost time, and inconvenience. The breach underscores vulnerabilities in third-party vendor systems and the critical need for robust data protection measures in industries handling consumer financial and personal data.
Source: https://www.claimdepot.com/investigations/edmunds-data-breach-2025
Edmunds cybersecurity rating report: https://www.rankiteo.com/company/edmunds-com
"id": "EDM4770847112725",
"linkid": "edmunds-com",
"type": "Breach",
"date": "6/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['automotive',
'digital marketplace',
'online car shopping'],
'location': {'headquarters': 'Santa Monica, '
'California, USA',
'other_offices': ['Detroit, Michigan, '
'USA']},
'name': 'Edmunds.com, Inc.',
'type': 'private company'},
{'industry': ['automotive retail', 'used vehicles'],
'name': 'CarMax',
'size': 'one of the largest used-vehicle retailers in '
'the USA',
'type': 'parent company (acquirer)'},
{'name': 'unidentified third-party vendor',
'type': 'vendor'}],
'attack_vector': 'third-party vendor compromise (messaging application)',
'customer_advisories': ['Notices sent to affected individuals about the '
'breach.',
'Advisory to review credit reports, enroll in '
'identity protection, and consider legal action.'],
'data_breach': {'data_exfiltration': 'potential (messages accessed by '
'unauthorized party)',
'personally_identifiable_information': ['names',
'Social Security '
'numbers',
'driver’s license '
'information'],
'sensitivity_of_data': 'high (includes SSNs, credit card '
'info, driver’s license details)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'financial data']},
'date_detected': '2025-08-19',
'description': 'Edmunds.com, Inc. experienced a data breach involving '
'unauthorized access to its proprietary messaging application '
'operated by a third-party vendor. Sensitive personally '
'identifiable information (PII) of users, including names, '
'Social Security numbers, credit card details, and driver’s '
'license information, was potentially exposed. The breach was '
'discovered on or about August 19, 2025. Affected individuals '
'are advised to monitor their credit, enroll in free identity '
'protection services, and consider legal action for potential '
'compensation.',
'impact': {'brand_reputation_impact': 'potential reputational harm due to '
'exposure of sensitive customer data',
'data_compromised': ['names',
'Social Security numbers',
'credit card information',
'driver’s license information'],
'identity_theft_risk': 'high (due to exposure of SSNs, credit card '
'details, and driver’s license info)',
'legal_liabilities': 'potential class action lawsuits and '
'compensation claims',
'payment_information_risk': 'high (credit card information '
'exposed)',
'systems_affected': ['proprietary messaging application']},
'initial_access_broker': {'entry_point': 'third-party vendor operating the '
'messaging application',
'high_value_targets': ['customer PII (SSNs, credit '
'card data, driver’s license '
'info)']},
'investigation_status': 'ongoing (class action investigation by Shamis & '
'Gentile P.A.)',
'post_incident_analysis': {'corrective_actions': ['offering free credit '
'monitoring and identity '
'protection services']},
'recommendations': ['Monitor credit reports and financial statements for '
'suspicious activity.',
'Enroll in the free 24-month credit monitoring and '
'identity protection services offered by Edmunds via IDX '
'(deadline: January 31, 2026).',
'Consider placing a fraud alert or security freeze on '
'credit files.',
'Report suspected identity theft to law enforcement and '
'the Federal Trade Commission.',
'Keep records of all correspondence and actions related '
'to the incident.',
'Affected individuals may seek legal counsel to explore '
'compensation options.'],
'references': [{'source': 'Shamis & Gentile P.A. (Class Action '
'Investigation)'}],
'regulatory_compliance': {'legal_actions': ['potential class action lawsuits',
'investigation by Shamis & '
'Gentile P.A.']},
'response': {'communication_strategy': ['notices sent to affected individuals',
'public advisory via Shamis & Gentile '
'P.A.'],
'remediation_measures': ['free 24-month credit monitoring and '
'identity protection services for '
'affected individuals'],
'third_party_assistance': ['IDX (credit monitoring and identity '
'protection services)']},
'title': 'Edmunds.com, Inc. Data Breach (2025)',
'type': ['data breach', 'unauthorized access']}