10 Nov


Caveat Emptor (Your Auto Dealership Is Putting Your Financial Info At Risk)!

posted by: William White

Your customers are safe in the cars you sell. But are they safe in your dealership?

"Customer and Employee data from 128 dealerships was sent across the Internet in clear text. A bad guy looking at that unencrypted traffic could have plucked names, addresses and social security numbers off of the wire and used that information for fraudulent and criminal purposes." - Bill White, CTO

“Here in my car
I feel safest of all” – Gary Numan, in his 1979 hit “Cars”

I’m glad to hear that Gary feels safe in his car.  Really, I am.

And I am sure that the dealer, who sold him that post-recall Pinto back in ’79, was glad to hear Gary felt safe in that car as well.

Auto makers and dealers know how important safety and security features are to the buying public. As well they should. When I went to buy my new car back in March, my salesperson immediately began describing all the safety and security built into the vehicle- crash test ratings, collision prevention, attention assist, active blind spot assist, cross traffic assist, anti-theft protection, etc, etc, etc. She waxed poetic about all the ways the car could protect my family and that deer standing in the middle of the road on a foggy November evening.

Auto makers and dealers take the safety and security of their products very seriously. It’s no wonder Gary and I feel safest of all in our cars.

But, should we feel safe and secure in your dealership too? Is your dealership doing everything it can to protect Gary and me?  Are you safeguarding our financial info, social security numbers, bank account numbers, and any other personally identifiable information (PII)?  And while you are protecting all that F&I data containing customer info, are you also doing everything you can to protect your payroll data and employee info?  How about those passwords that provide access to your DMS?  Do you have those protected as well? And what about that photo copy of my license you made; the one where you hand wrote my social security number under my ID?  I’ll stop there. I think you see where I am going with this.

If your dealership is like most of the dealerships we at Ultimate Risk Solutions have worked with, you know you are legally bound to do everything you can to protect the privacy and financial data of your customers and employees. However, like most dealerships we encounter, you just don’t know what “everything” is.

We have asked a number of our customers in the auto dealership business what they do about Cybersecurity.  Here are some of the answers we’ve gotten:

“We have an IT guy…. He takes care of all of that…He is also our Director of Sales”

“All of our [locations] have firewalls and antivirus”

“We are one of the smaller dealerships in the area…We’re too small for someone to want to hack us”

“Our DMS is really secure… I mean they have everything tied down tight… We have to jump through all kinds of hoops to work with <Insert Large DMS Platform Here>”

Do any of those sound familiar to you?

If they do, your Cybersecurity program is woefully deficient; and, your customers’ financial data is at risk of falling into the hands of the bad guys. Your dealership’s reputation is at risk, as is its financial health. You need to start taking Cybersecurity more seriously.

For example, let’s look at what can happen to your customers’ and employees’ financial data when you rely solely on your DMS to protect it:

According to ZDNet, “If you bought a car in the last few years, there’s a good chance your personal information may have found its way to the open internet…Names, addresses, phone numbers, and social security numbers for both customers and employees for over a hundred car dealerships have leaked online, all thanks to a centralized records system coupled with shoddy security…Last week, MacKeeper security researchers found 128 dealership systems, known as LightYear machines, were backing up to DealerBuilt’s central systems without any encryption or security, allowing anyone to see what was being backed up.”

Yes.  You read that correctly. Customer and Employee data from 128 dealerships was sent across the Internet in clear text.  A bad guy looking at that unencrypted traffic could have plucked names, addresses and social security numbers off of the line and used that information for fraudulent and criminal purposes.

You also read correctly that it happened because a well-known, widely adopted DMS created by DealerBuilt allowed unencrypted data to be backed up over the Internet.

How would you like to be one of those 128 dealerships that had to notify its customers that their data might or might not be in the hands of cyber criminals- because your DMS wasn’t as secure as you thought it was? Wow. We could be talking about regulatory fines and penalties or, a class action law suit.  The reputation damage will cost them dearly by scaring away new business and repeat customers.

The bottom line is: If those dealerships had adopted a Cybersecurity program like the ones offered by Ultimate Risk Solutions (URS), this whole fiasco could have been avoided.  In one possible scenario, our solution would have identified the unencrypted data and automatically stopped it from making it onto the Internet.  In the worst-case scenario, our solution would have caught the data moving onto the Internet and alerted someone at the dealership- long before a research group stumbled upon it and released the findings to the public.

So how does your dealership avoid Cybersecurity issues like those mentioned above?  Leave it to the professionals. At URS, we have developed budget friendly, scalable 5 Step Cybersecurity Solutions ™ to help protect dealerships of any size. We can customize our solutions to meet all of your business needs.  From protecting your customers’ data to meeting PCI, GLB or FTC requirements, we’ve got you covered.

Let your “IT guy” focus on the F&I department, like you hired him to do. And let URS focus on your Cybersecurity.

info@ultimaterisksolutions.com or 610.755.0728/800.55.HELPS


OSHA Requirements for Electronic SDS Management System


Deadline on OSHA’s New Electronic Reporting Requirement is Around the Corner