A claim that a team of hackers had gained access to troves of dealerships’ sensitive consumer data spooked dealership software giants. The claim was a hoax.
On Feb. 16, an employee at software provider ELEAD1ONE, known as eLead, circulated what appeared to be a ransom email from hackers, saying they had breached the company’s customer relationship management system and were going to release Reynolds and Reynolds, CDK Global and Dealertrack systems data from three to four dealership groups.
The employee wrote that the so-called team had gathered millions of customer records. She released a batch of information online and threatened to release more.
The revelation triggered investigations by each company. One by one, they confirmed that no breaches occurred.
ELead identified the employee and determined that the data taken weren’t nearly as massive as claimed. Instead of stealing millions of pieces of sensitive data such as Social Security numbers and birth dates, the employee acquired thousands of pieces of more routine information such as names and phone numbers.
The incident received a momentary boost of credibility when consultant Brian Pasch, who received the email, posted the note on social media to inform dealers of the apparent breach. Pasch couldn’t be reached for comment.
Owner Hugh Hathcock said eLead is pursuing charges against the employee, who resigned soon after taking the data. “Because she wanted to get back at us for something, she just decided to publish [the data] to try to see if she could cause some controversy,” he said.
For the companies involved, the false alarm amounted to a fire drill for their security procedures.
Craig Goodwin, CDK’s chief security officer, said the company quickly compared the stolen information with its DMS data to ensure it didn’t originate with CDK. After it realized the data came from eLead, a CDK-certified third-party vendor, CDK got assurances that eLead was taking the necessary precautions. CDK informed its dealer clients that the data leak didn’t come from it, and never cut off eLead’s access to its DMS or customer relationship management systems.
The inside threat is always “the biggest one and the most overlooked,” Goodwin said. While he endorsed “being productively paranoid about this stuff,” he also warned against “a knee-jerk reaction which says, ‘Cut them off, make it unavailable to our customers.’” ELead had “taken the necessary steps, so that we could deliver our services to customers as uninterrupted and unimpeded as we possibly could.”
Dealertrack, owned by Cox Automotive, also conferred with eLead and never blocked eLead’s access to its DMS. But Reynolds temporarily suspended eLead’s access to its DMS when it verified that the “self-proclaimed hacker had publicly posted customer files to the Internet.”
Reynolds said it has followed its standard security protocol. Hathcock said the service suspension affected 1,000 dealerships. Reynolds began restoring “partial integration” to eLead on Feb. 22.