LKQ Hit by Data Breach After Oracle Zero-Day Exploitation

LKQ Corporation, an automotive parts manufacturer, reported a cybersecurity incident in which threat actors leveraged a zero-day flaw in Oracle’s E-Business Suite to access and steal sensitive personal data belonging to its employees.

 

LKQ Corporation is a global Fortune 500 company specialising in alternative and specialty vehicle parts for repair and customisation. It operates across North America, Europe, and Asia, supplying recycled, remanufactured, and aftermarket components for cars, trucks, and performance vehicles, with major operations in the United States, the United Kingdom, and Europe.

 

In a data security incident notice filed with the Office of Maine Attorney General, LKQ said that it uses the Oracle EBS to manage critical internal operations, including human resources, finance, and other functions. Upon learning of the zero-day vulnerability in early October, LKQ promptly initiated an investigation, engaging external cybersecurity specialists to assess the nature and extent of the incident.

 

“We launched an investigation on October 3, 2025 with assistance from a third-party forensic firm and took steps to contain the issue, including promptly taking the system offline. There is no evidence of impact to LKQ’s systems beyond the Oracle E-Business Suite environment,” LKQ said.

 

The investigation, which concluded on December 1, revealed that sensitive personal data belonging to employees was compromised in the incident. The breach also affected sole proprietor suppliers, exposing information such as Employer Identification Numbers (EINs) and Social Security numbers.

 

The filing with the Maine state regulator’s office also states that LKQ has identified at least 9,070 Maine residents affected by the incident.

 

“LKQ took steps to deploy additional safeguards onto our systems, including reinforcing our security practices, and enhancing security monitoring and controls to fortify the same. And, as part of our ongoing security operations, we regularly review our security and privacy policies and procedures and implement changes when needed to enhance our information security program and controls,” the company added.

 

LKQ has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. 

 

It has also offered two years of complimentary identity protection and credit monitoring services through TransUnion to all affected individuals.