Editor's note: An earlier version of this article incorrectly stated that failure to encrypt data violated federal rule.
DealerBuilt, an Iowa dealership software provider, reached a settlement with the Federal Trade Commission Wednesday over a 2016 breach of customer data that allowed a hacker to gain access to the personal information of about 12.5 million consumers stored by 130 dealership clients.
The dealership management system provider agreed to a settlement with the FTC over the attack and will "take steps to better protect the data it collects," the FTC said.
The agency said in a statement that LightYear Dealer Technologies, known commercially as DealerBuilt, failed to properly encrypt sensitive data and conduct necessary vulnerability and penetration testing.
DealerBuilt CEO Michael Trasatti said Wednesday the company took immediate action when the breach occurred in 2016 and worked with customers. “We take securing customer data seriously,” Trasatti said in a statement. “We work to continuously improve our security.”
The breach will be resolved with a final consent agreement, which won't be made public unless it is accepted by the FTC. As part of the proposed consent agreement, DealerBuilt is required to implement a security program in accordance with the Safeguards Rule, and is prohibited from handling consumer data until the program is in place.
The settlement also requires the company to obtain third-party assessments of its security program every two years.
The FTC does not have authority to seek monetary penalties for an initial violation, but if the company violates the settlement, the commission could seek civil penalties of up to $42,530 per violation.
According to the complaint, DealerBuilt failed to protect the sensitive customer data, despite those resources being "readily available and relatively low-cost" to the provider. DealerBuilt sells dealership management systems and data processing systems.