Retailers prime targets for data theft

A cyber thief snatched $253,000 by intercepting a wire transfer between an exotic-car retailer and another dealership.

In another case, a cyber criminal gained access to a dealership finance and insurance employee's computer and downloaded 200 customer credit reports from a credit bureau.

Both of those cybercrimes occurred this year, said Erik Nachbahr, president of Helion Technologies, a Maryland company that manages information technology operations for 750 automotive and truck dealerships. Nachbahr, dealership lawyers and compliance and other experts said there have been a spike in such thefts targeting auto retailers.

Nachbahr: Theft goes unreported.

"Dealers have been at risk for hacking and breaches and that's because a dealership is a treasure trove" of personal and financial information, said Aaron Jacoby, managing partner of Arent Fox law firm in Los Angeles.

Retired FBI special agent John Iannarelli, a frequent speaker at dealership association meetings on cyber security, said dealerships are targets in part because a lot of money moves in and out of the stores.
The F&I office is particularly vulnerable, experts said, because it's where dealerships solicit nonpublic personal information such as Social Security numbers for tasks such as completing a finance application, or take credit card numbers for payments.

Not if, when

"I don't think it's a matter of not being breached," Linda Robertson, executive director of the Association of Dealership Compliance Officers, said of the threat to dealerships. "I think it's a matter of when."

Iannarelli, of Scottsdale, Ariz., said one risk for dealerships is business email compromise, where someone hacks into an email system and watches exchanges, including the flow of money, perhaps also sending fake money-wiring instructions.

Dealership employees have received fraudulent emails that appear to come from someone at the dealership asking them to buy a gift card or from someone claiming to be the controller or CFO and requesting the employee wire money, said Nachbahr, a certified information systems security professional.

In other attacks, a dealership employee may click on an email link or attachment and a sophisticated ransomware attack can lock up a dealership's computer operations for days or weeks, experts said.

In some cases, criminals will pretend to be a customer and ask a dealership employee to look at a file, such as a car they want to buy, and ask the employee to log in using Dropbox and use their dealership username and password, Nachbahr said.

"It requires no hacking, really. You just stand up a fake website. So then dealership employees will go in, they will enter the credentials," Nachbahr said. "Then the cyber criminals will actually log in to their email boxes and set up a bunch of rules to forward all of their email."

Once they have access to an employee's email, they scour for personal information such as credit card or bank-account numbers.

Robertson: It’s a matter of when.

Frequent breaches

Nachbahr, who said the data theft and hacking examples include some of his clients and other dealerships in the industry he has knowledge of, said successful cyber data breaches and hacking happen every few weeks at dealerships. He called dealerships "low-hanging fruit" for cyber criminals.

"All of this stuff is totally unreported because no dealer wants their dealership out there with a security incident," he said.

Dealerships that suffer a data theft may have to pay for a consumer's credit monitoring if data is stolen. Breaches can also lead to be reputational damage and lawsuits, experts said.

Nearly 84 percent of consumers wouldn't buy another vehicle from an auto retailer if their personal data had been compromised, according to a 2015 survey from auditing company Total Dealer Compliance.

In the case of the exotic dealership, Nachbahr said cyber criminals gained access to an employee's email, likely by that employee clicking on a link. Then, they sent an email to change the bank account number for the wire, he said. Nachbahr said law enforcement was notified, as were investigators from the dealership's insurance company. But there was no recovery of the money, he said.

In the other example, keylogger software was downloaded unknowingly onto the F&I employee's computer and had been tracing the keystrokes. The software captured the employee's login and passwords to gain access to the credit bureau, Nachbahr said. The bureau shut off the dealership's access and notified the FBI, he said, and the dealership had to investigate its data system, then prove to the bureau that the dealership understood where the attack originated and that the threat was handled. The cost of the investigation to the dealership was about $150,000, Nachbahr said. The credit bureau also is requiring an annual security audit of the dealership for the next five years.

Under constant attack

How common are cyberattacks on dealerships?

  • On an average day, 153 viruses and 84 malicious spam emails are blocked by technology on a dealership’s network.
  • A dealership may experience a high-severity attack, something that could impact operations or lead to data theft, more than 45 times a month.
  • A dealership may be under a critical network attack, such as a virus making a computer or network inoperable, more than 9 times a month.
  • A dealership will allow on average 6 suspicious files — coming through a firewall — onto its network each month.
  • A dealership will allow an average of 212 instances of malicious activity, such as malware or malicious spam, through a firewall each month.
  • Twice a month at each of its client dealerships, on average, a security event is severe enough that Nuspire, a cyber-security company that works with 4,000 dealerships, launches an investigation.
  • Source: Nuspire
  • Ganther: Make things seamless.
  • Singerman: Give payment info.
  • Jordan Ford employees in San Antonio contact shoppers to explain the credit inquiry.
  • Shaules said he enjoys being part of Honda’s conversation about safety.
  • Kyle Shaules’ Civic rolled five times after he hit a puddle and hydroplaned.
Close calls

Dealerships also have had close calls. Take Galpin Motors Inc.

Galpin, a North Hills, Calif., dealership group, in a testimonial on vendor Credit Bureau Connection's website, said it uses Credit Bureau Connection's fraud prevention product to help identify synthetic-identity theft. A sales manager using the tool was able to stop a suspicious deal and notify the dealership's compliance department. It was investigated and referred to law enforcement.

"While we were able to prevent the thief from obtaining a brand-new vehicle, he had already obtained other luxury vehicles from local dealerships (who I suspect were not using CBC)," Chris Cleveland, compliance director at Galpin Motors, wrote in the testimonial. "Fortunately, the information we provided to the police eventually led to the arrest of two individuals involved in scamming the other dealers."

Cleveland and other Galpin executives did not respond to requests for comment.

If a hack or data breach of nonpublic personal information occurs, dealerships need to be ready to act — and quickly, Robertson and other experts said.

Robertson's Association of Dealership Compliance Officers trains dealership compliance officers on how to conduct their own security risk assessments, create policies, train employees and identify areas that need to be corrected.

Dealers should have a breach response team ready, as suggested by Federal Trade Commission guidelines on how to handle a breach, Robertson said. She said dealers rarely know they need to do this. The team should include senior leaders and people from the dealership's information technology and legal departments, and possibly a public relations company, Robertson said. They also should have law enforcement contacts.

Dan Hoban, chief strategy officer for Nuspire, a Commerce Township, Mich., managed security services company that works with 4,000 dealerships and monitors their networks, agreed dealers should map out a breach plan ahead of time, including which people would be pulled in to respond. After an attack, dealerships should deploy best practices to prevent another incident, Hoban said.

Iannarelli said he was hired by a dealership that suffered a business email compromise that involved the shipment of vehicles for a significant dollar amount.

"You've got about 24 hours," he said. "If you discover the problem and report it to the authorities, you might be able to get your money back."

RECOMMENDED FOR YOU
Ally offers buyouts with layoffs possible
Letter
to the
Editor

Send us a letter

Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

Recommended for You
Ally
Ally offers buyouts with layoffs possible
LAPLANCHE-MAIN_i.jpg
As others go, Upgrade enters lending market
Tip: Don't sell F&I products you don't believe in
Tip: Don't sell F&I products you don't believe in
Sign up for free newsletters
Digital Edition
Automotive News 10-2-23
THIS WEEK'S EDITION
See our archive