Retailers prime targets for data theft

A cyber thief snatched $253,000 by intercepting a wire transfer between an exotic-car retailer and another dealership.

In another case, a cyber criminal gained access to a dealership finance and insurance employee's computer and downloaded 200 customer credit reports from a credit bureau.

Both of those cybercrimes occurred this year, said Erik Nachbahr, president of Helion Technologies, a Maryland company that manages information technology operations for 750 automotive and truck dealerships. Nachbahr, dealership lawyers and compliance and other experts said there have been a spike in such thefts targeting auto retailers.

"Dealers have been at risk for hacking and breaches and that's because a dealership is a treasure trove" of personal and financial information, said Aaron Jacoby, managing partner of Arent Fox law firm in Los Angeles.

Retired FBI special agent John Iannarelli, a frequent speaker at dealership association meetings on cyber security, said dealerships are targets in part because a lot of money moves in and out of the stores.
The F&I office is particularly vulnerable, experts said, because it's where dealerships solicit nonpublic personal information such as Social Security numbers for tasks such as completing a finance application, or take credit card numbers for payments.

"I don't think it's a matter of not being breached," Linda Robertson, executive director of the Association of Dealership Compliance Officers, said of the threat to dealerships. "I think it's a matter of when."

Iannarelli, of Scottsdale, Ariz., said one risk for dealerships is business email compromise, where someone hacks into an email system and watches exchanges, including the flow of money, perhaps also sending fake money-wiring instructions.

Dealership employees have received fraudulent emails that appear to come from someone at the dealership asking them to buy a gift card or from someone claiming to be the controller or CFO and requesting the employee wire money, said Nachbahr, a certified information systems security professional.

In other attacks, a dealership employee may click on an email link or attachment and a sophisticated ransomware attack can lock up a dealership's computer operations for days or weeks, experts said.

In some cases, criminals will pretend to be a customer and ask a dealership employee to look at a file, such as a car they want to buy, and ask the employee to log in using Dropbox and use their dealership username and password, Nachbahr said.

"It requires no hacking, really. You just stand up a fake website. So then dealership employees will go in, they will enter the credentials," Nachbahr said. "Then the cyber criminals will actually log in to their email boxes and set up a bunch of rules to forward all of their email."

Once they have access to an employee's email, they scour for personal information such as credit card or bank-account numbers.

Nachbahr, who said the data theft and hacking examples include some of his clients and other dealerships in the industry he has knowledge of, said successful cyber data breaches and hacking happen every few weeks at dealerships. He called dealerships "low-hanging fruit" for cyber criminals.

"All of this stuff is totally unreported because no dealer wants their dealership out there with a security incident," he said.

Dealerships that suffer a data theft may have to pay for a consumer's credit monitoring if data is stolen. Breaches can also lead to be reputational damage and lawsuits, experts said.

Nearly 84 percent of consumers wouldn't buy another vehicle from an auto retailer if their personal data had been compromised, according to a 2015 survey from auditing company Total Dealer Compliance.

In the case of the exotic dealership, Nachbahr said cyber criminals gained access to an employee's email, likely by that employee clicking on a link. Then, they sent an email to change the bank account number for the wire, he said. Nachbahr said law enforcement was notified, as were investigators from the dealership's insurance company. But there was no recovery of the money, he said.

In the other example, keylogger software was downloaded unknowingly onto the F&I employee's computer and had been tracing the keystrokes. The software captured the employee's login and passwords to gain access to the credit bureau, Nachbahr said. The bureau shut off the dealership's access and notified the FBI, he said, and the dealership had to investigate its data system, then prove to the bureau that the dealership understood where the attack originated and that the threat was handled. The cost of the investigation to the dealership was about $150,000, Nachbahr said. The credit bureau also is requiring an annual security audit of the dealership for the next five years.

Dealerships also have had close calls. Take Galpin Motors Inc.

Galpin, a North Hills, Calif., dealership group, in a testimonial on vendor Credit Bureau Connection's website, said it uses Credit Bureau Connection's fraud prevention product to help identify synthetic-identity theft. A sales manager using the tool was able to stop a suspicious deal and notify the dealership's compliance department. It was investigated and referred to law enforcement.

"While we were able to prevent the thief from obtaining a brand-new vehicle, he had already obtained other luxury vehicles from local dealerships (who I suspect were not using CBC)," Chris Cleveland, compliance director at Galpin Motors, wrote in the testimonial. "Fortunately, the information we provided to the police eventually led to the arrest of two individuals involved in scamming the other dealers."

Cleveland and other Galpin executives did not respond to requests for comment.

If a hack or data breach of nonpublic personal information occurs, dealerships need to be ready to act — and quickly, Robertson and other experts said.

Robertson's Association of Dealership Compliance Officers trains dealership compliance officers on how to conduct their own security risk assessments, create policies, train employees and identify areas that need to be corrected.

Dealers should have a breach response team ready, as suggested by Federal Trade Commission guidelines on how to handle a breach, Robertson said. She said dealers rarely know they need to do this. The team should include senior leaders and people from the dealership's information technology and legal departments, and possibly a public relations company, Robertson said. They also should have law enforcement contacts.

Dan Hoban, chief strategy officer for Nuspire, a Commerce Township, Mich., managed security services company that works with 4,000 dealerships and monitors their networks, agreed dealers should map out a breach plan ahead of time, including which people would be pulled in to respond. After an attack, dealerships should deploy best practices to prevent another incident, Hoban said.

Iannarelli said he was hired by a dealership that suffered a business email compromise that involved the shipment of vehicles for a significant dollar amount.

"You've got about 24 hours," he said. "If you discover the problem and report it to the authorities, you might be able to get your money back."