By Richard White, PhD.
JD Power projects consumers spent over $43 billion dollars online in December 2017. That means they entrusted personal – and valuable – information to businesses, whom they assumed would keep that information secure. That doesn’t always happen though, and the consequences can be dire.
Experian reports that 60 percent of small to mid-sized companies folded because of a cyber-attack. The damage that resulted from these attacks ranged from the loss of Personally Identifiable Information (PII) to actual dollars that were spent by customers of those businesses.
These attacks can also lead to financial loss from business interruption, loss of reputation, and customer lawsuits. So, with the exchange of consumer sensitive data comes increased responsibility.
As buying a car is increasingly an online business, dealerships are now the guardians of vast amounts of valuable personal data. If a dealership discloses it has fallen victim to a security breach, consumers are less likely to entrust that dealership with their Personal Identifiable Information (PII), and their money.
Customers visit dealerships, either online or in person, to purchase a vehicle in exchange for money. They are also exchanging something more valuable – their PII.
Consumers provide dealerships with information such as their name, address, date of birth, phone number, social security number, and banking information. This information is a commodity that cyber criminals sell on underground websites and databases.
If they are successful at obtaining this data from dealerships, they can use it for fraudulent activities, such as opening a credit card account or applying for a loan under the consumer’s identity. After a breach in security of 40 million customer credit cards in 2013, Target made an agreement to settle a class action lawsuit for $10 million. A cyber-attack of this magnitude could destroy a dealership’s reputation and its business.
A dealership’s own employees are the biggest risk factor where keeping customers’ personal information secure is concerned. Employees are an easy target for cybercriminals because criminals can send a simple (phishing) email to trigger an attack. If a staff member takes the bait, they invite hackers into the dealership’s network.
F&I/Accounting professionals in a dealership — who process financial information, such as bank routing numbers, credit card information and credit scores — are attractive targets. For example, I responded to a cyber incident at a dealership in the Northeast where the controller thought he was exchanging emails with another auto dealer, however that was not the case. He was ultimately duped into processing a fraudulent wire transfer for $30,000.
Dealerships also have many technical support third-parties including suppliers and outsourced personnel, such as IT/HR/Accounting. These connections, from/to potentially unsafe infrastructures, create additional vulnerabilities and vectors for the hacker to exploit that can easily lead to access of critical systems and data through a seemingly trusted source. For example, Target was breached through an externally-managed environmental control system.
In addition, Bring Your Own Device (BYOD) brings another element of exposure to dealership networks. It is possible for employees to store PII on their personal mobile devices or laptops. It is worth noting that the use of personal devices is one of the most frequently used tools by rogue/malicious employees and hackers where theft of data is involved.
Some dealerships have internal IT departments, but like many small to mid-sized business, one employee may have multiple duties, so it is highly unlikely that there is a single dedicated and highly skilled resource focused on cybersecurity. Dealerships also outsource IT to third-party administrators. Cybercriminals are attracted to small businesses with limited resources for detecting threats. Depending on the technology infrastructure, dealerships need trained, certified IT personnel to protect consumer PII.
Centralized systems for dealerships are another threat to PII. An Iowa-based database software company, DealerBuilt, provides centralized services for dealer sales, customer relations and employee payroll. The company had a massive data breach in the later part of 2016 exposing critical data to the Internet in an unsecure manner.
The type of data leaked ranged from dealership sensitive to customer PII. The leak primarily occurred when machines were backed up in plain text (without the proper encryption) to a centralized source managed by DealerBuilt.
While this information has already begun to be discovered on the Internet — specifically on Shodan, a search engine for open and unsecured databases — it is too early to tell how much damage will result from Identity theft, financial fraud, credit reduction, and just how the potentially thousands of consumers impacted will react.
Dealerships are financial institutions
Since many dealerships are in the business of collecting, storing, consumer financial information, Graham Leach-Bliley Act (GLBA) criteria considers them financial institutions. During the process of an automobile purchase, consumers have a reasonable expectation that their sensitive information is encapsulated for that particular business transaction.
Failure to comply with GLBA requirements can amount to over $1 million in fines. In addition, the Payment Card Industry’s Data Security Standard (PCI-DSS) holds dealerships responsible for processing payments as a result of PII collected from financial transactions. Violators can be subject to a monthly charge of hundreds of thousands of dollars per month.
According to a CSO cybersecurity business report, cybercrime is expected to accelerate in the coming years. Damages resulting from cybercrime are estimated to reach $6 trillion a year by 2021 and criminals are expected to triple the amount of unfilled cybersecurity positions.
Implementing physical, administrative and technical controls can assist in minimizing data breach exposure. Such controls include: Provide surveillance networks, key badges, privacy screens, and enforce a clean desk policy. Implement job specific and third-party security policies and staff training. Conduct security assessments and regular audits, and obtain cybersecurity insurance.
Layering network systems is always important, from firewalls to updated antivirus software and secure data backups. In addition, including security permission settings, vulnerability scanning, enforcing strong passwords, closing unused ports and user accounts and properly offboarding terminated employees will help protect PII.
The Automotive Information Sharing and Analysis Center Auto-ISAC was implemented in July of 2016 to address cybersecurity best practices in the auto industry. Key areas involving these seven best practices include governance, risk management, security, threat detection and prevention, incident response, awareness training, information sharing and collaboration, security assessment, and a response program. Automobile dealerships are not alone, nor do they have to reinvent the wheel to protect consumer information.
Richard White, PhD is the founder and CEO of Warp2Security and the author of Cybercrime: The Madness Behind the Methods. He is a recognized industry expert in the fields of cybersecurity infrastructure, cybersecurity remediation, and cybersecurity program development. With over 25 years of experience in systems design, security technology implementation and security policy development and enforcement, Dr. White has developed innovative and affordable approaches for the rapid deployment of cyber threat detection and remediation technologies. He can be reached at firstname.lastname@example.org or www.warp2security.com