Auto retailers prime targets for data theft
Skip to main content
Sister Publication Links
  • Automotive News Canada
  • Automotive News Europe
  • Automotive News China
  • Automobilwoche
AN-LOGO-BLUE
Subscribe
  • Subscribe
  • Account
  • login
  • HOME
  • NEWS
    • Dealers
    • Automakers & Suppliers
    • News by Brand
    • Cars & Concepts
    • Coronavirus Coverage
    • China
    • Shift
    • Mobility Report
    • Special Reports
    • Digital Edition Archive
    • This Week's Issue
    • CarMax
      CarMax plans bonuses for 22,000 employees to reward pandemic efforts
      COVID-19 vaccines reaching auto plants, but challenges remain
      Working online to book COVID shots, office manager Billie Jean Pellet “typed so fast smoke came off the keyboard,” said dealer Earl Stewart.
      Dealership team hunts for vaccine
      Hope stalls for rebound in European auto sales
    • Chinese tech companies are turning their sights on EVs
      Telecom firm ZTE preparing electric vehicle product line
      Changan
      Huawei, battered by U.S. sanctions, plans foray into EVs, report says
      VW China
      Top VW China exec said to eye joining Renault as local CEO
      Geely to create separate EV business unit
    • Udelv CEO offers a historical perspective on high-tech goods delivery
      Q&A with BrightDrop CEO Travis Katz
      Automakers optimize manufacturing, customize products through digitization
      3D-printing a Porsche: Making concepts matter
    • The Cruise AV autonomous vehicle, based on the Chevy Bolt
      GM-backed Cruise is in talks to buy startup Voyage, report says
      Fisker's next wave: A premium people's car
      A worker fixes a power line in Austin, Texas, last month.
      Bidirectional EVs could lend a hand in power crisis
      Toyota banks on plug-ins as rivals push BEVs
    • Elon Musk interview
      Tesla’s Model Y, on sale since March, is a showcase of EV technologies competitors will benchmark.
      Technologies of Electrification
      Cadillac’s Lyriq EV will be unveiled Aug. 6.
      Future Product Pipeline
      A CALL TO ACTION
    • COVID-19 vaccines reaching auto plants, but challenges remain
      Cars parked at a Ford dealership lot
      In SPACs, dealers see viable option to go public
      New-school solution for recruiting auto techs
      Is your dealership a great place to work?
    • Access F&I
    • Fixed Ops Journal
    • Marketing
    • Used Cars
    • Retail Technology
    • Sales
    • Best Practices
    • Dealership Buy/Sell
    • NADA
    • NADA Show
    • Automakers
    • Manufacturing
    • Suppliers
    • Regulations & Safety
    • Executives
    • Talk From The Top
    • Leading Women Network
    • Guide to Economic Development
    • PACE Awards
    • Management Briefing Seminars
    • World Congress
    • Aston Martin
    • BMW
      • Mini
      • Rolls-Royce
    • Daimler
      • Mercedes Benz
      • Smart
    • Ford
      • Lincoln
    • General Motors
      • Buick
      • Cadillac
      • Chevrolet
      • GMC
    • Honda
      • Acura
    • Hyundai
      • Genesis
      • Kia
    • Mazda
    • McLaren
    • Mitsubishi
    • Nissan
      • Infiniti
    • Stellantis
      • Alfa Romeo
      • Citroen
      • Chrysler
      • Dodge
      • Ferrari
      • Fiat
      • Jeep
      • Lancia
      • Maserati
      • Opel
      • Peugeot
      • Ram
      • Vauxhall
    • Renault
    • Subaru
    • Suzuki
    • Tata
      • Jaguar
      • Land Rover
    • Tesla
    • Toyota
      • Lexus
    • Volkswagen
      • Audi
      • Bentley
      • Bugatti
      • Lamborghini
      • Porsche
      • Seat
      • Skoda
    • Volvo
    • (Discontinued Brands)
    • Virtual reveals (Sponsored)
      • MITSUBISHI: 2022 Outlander
      • NISSAN: 2022 Pathfinder and 2022 Frontier
      • GENESIS: 2021 GV80
      • KIA: 2021 K5
      • LEXUS: 2021 IS
      • NISSAN: 2021 Rogue
      • TOYOTA: 2021 Venza and 2021 Sienna
    • Auto Shows
    • Future Product Pipeline
    • Photo Galleries
    • Car Cutaways
    • Design
  • OPINION
    • Blogs
    • Cartoons
    • Keith Crain
    • Automotive Views with Jason Stein
    • Columnists
    • China Commentary
    • Editorials
    • Letters to the Editor
    • Send us a Letter
    • Fisker gets a rare second chance to build his own car company
      The new Stellantis pickup: Schrödinger's Dakota
      Gerry McGovern is right man to steer Jaguar reinvention
      Forget the Ford GT; Moray Callum's biggest hit is the aluminum F-150
    • Jaguar is about to undergo its fourth reinvention in five decades as owner Tata Group takes a second crack at shaking up a brand whose glorious past has rarely translated into a profitable present or sustainable future.
      Jaguar Redo, Part IV
      view gallery
      1 photos
      Chip Shortage
      Jaguar is about to undergo its fourth reinvention in five decades as owner Tata Group takes a second crack at shaking up a brand whose glorious past has rarely translated into a profitable present or sustainable future.
      view gallery
      9 photos
      Leo Michael Cartoons - Q1 2021
      Dealers hiring from hospitality sector
      view gallery
      1 photos
      Hospitality Hires
    • Shifting gears away from the stick shift
      SEMA still a wonderful circus
      Penske still has plenty of races to win
      Ford's turn in the hot seat
    • March 2, 2021 | Will EV bets pay off?
      February 23, 2021 | Reliability continues to soar
      February 16, 2021 | Apple looks to take bite out of automotive
      February 9, 2021 | ‘Super’ opportunity for automakers
    • Jamie Butters
      EV plans and some damn lies
      Mark Paul
      What dealers can do if D.C. power shift affects recalls
      Reinvention of Jaguar is a tall task for McGovern
      Are we in the midst of a fourth industrial revolution?
    • Shanghai hints at how Chinese cities will pursue electrification
      How Tesla, GM transformed EV market in 2020
      Is sales recovery nearing an end?
      Beijing's uphill battle to boost EV sales
    • U.S. Dealership lot
      Lean lots won't last without new dealer discipline
      Taiwan Semicon microchips BB web.jpg
      Chip shortage shows need for new thinking
      Digital demands squeeze smaller auto retailers
      President Joe Biden’s move to electrify all government vehicles could push forward charging infrastructure development.
      Dealers aren't wrong to be wary of EV hype
    • New look at Nissan a positive sign
      Embrace EV ideas at our doorstep
      Buying EV without dealer is just easier
      Dealers are right to worry about EVs
  • DATA CENTER
  • VIDEO
    • AutoNews Now
    • First Shift
    • Special Video Reports
    • Weekend Drive
    • AutoNews Now: Chip woes persist: GM extending output cuts
      AutoNews Now: Toyota, Mazda, Subaru, Hyundai, Kia slide in Feb.; Volvo, Genesis rise
      AutoNews Now: Toyota RAV4 probed for fire risk
      AutoNews Now: Nissan 'breakthrough' could lower emissions
    • First Shift: GM, LG Chem mull second U.S. battery plant
      First Shift: Stellantis aims for higher profit margins in 2021
      First Shift: Volvo's electric push includes online-only sales
      First Shift: U.S. dealership profits surge 48% to record high
    • Bert Ogden Auto Group
      Back to basics: How a Texas group is cutting costs, saving millions 
      COVID, chips and checks: Sales headwinds and tailwinds for 2021
      N.J. dealer helps position peers for ‘electric revolution’
      DCH Millburn Audi
      'Finding the diamond in the rough': How 2020's No. 1 dealership retains talent
    • Why the pickup is the auto industry's 'battleground'
      Carlos Ghosn's quest to restore his reputation
      Why Ford must execute to avoid 'deep trouble'
      Why Honda is 'locked and loaded' for 2020
  • EVENTS & AWARDS
    • Events
    • Awards
    • Congress Conversations
    • Retail Forum: NADA
    • Canada Congress
    • Europe Congress Conversations
    • Leading Women Conference
    • Fixed Ops Journal Forum
    • ANE Shift
    • Shift: Mobility at a Crossroads
    • Shift: The Future of Mobility (CES)
    • 100 Leading Women
    • 40 Under 40 Retail
    • All-Stars
    • Best Dealerships To Work For
    • PACE Program
    • Rising Stars
    • Europe Rising Stars
  • JOBS
  • AN Solutions
  • +MORE
    • Leading Women Network
    • Podcasts
    • Webinars
    • In the Driver's Seat
    • Publishing Partners
    • Classifieds
    • Companies on the Move
    • People on the Move
    • Newsletters
    • Contact Us
    • Media Kit
    • RSS Feeds
    • Shift: A Podcast About Mobility
    • Special Reports Podcasts
    • Daily Drive Podcasts
    • AAM
    • DealerPolicy
    • Gentex
    • Reputation.com
    • Ricardo
    • Ricardo
    • Allstate: Want more from your F&I?
    • Ally: Navigating the future of automotive retailing
    • Amazon Web Services: Any place, any time, any channel
    • Amazon Web Services: The power of the cloud
    • Amazon Web Services: Universal translator: Harnessing sensor data to build better automotive software
    • Epic Games: Transforming the auto industry with digital assets
    • FTI Consulting: Crisis as a catalyst for change
    • Google: 5 trends shaping the auto industry's approach to a new normal
    • IHS Markit: Automotive loyalty in the wake of the COVID-19 recession
    • IHS Markit: Autonomous vehicles: Automotive and transportation disruption
    • IHS Markit: COVID-19: The future mobility delusion
    • Level5: 2020 Automotive E-Commerce Report
    • Naked Lime: Bring social reputation together as part of big-picture marketing
    • Wells Fargo Auto: Switching gears from LIBOR to SOFR
    • Ally: Do It Right
    • DealerSocket
    • Deloitte: Cyber everywhere: Preparing for automotive safety in the face of cyber threats
    • Facebook: The road to a zero-friction future
    • Guide To Economic Development
    • PayPal Credit: How consumer financing helps drive sales for online auto parts retailers
MENU
Breadcrumb
  1. Home
  2. F&I: Defending Data
December 09, 2019 12:00 AM

Retailers prime targets for data theft

Melissa Burden
  • Tweet
  • Share
  • Share
  • Email
  • More
    Print

    A cyber thief snatched $253,000 by intercepting a wire transfer between an exotic-car retailer and another dealership.

    In another case, a cyber criminal gained access to a dealership finance and insurance employee's computer and downloaded 200 customer credit reports from a credit bureau.

    Both of those cybercrimes occurred this year, said Erik Nachbahr, president of Helion Technologies, a Maryland company that manages information technology operations for 750 automotive and truck dealerships. Nachbahr, dealership lawyers and compliance and other experts said there have been a spike in such thefts targeting auto retailers.

    Nachbahr: Theft goes unreported.

    "Dealers have been at risk for hacking and breaches and that's because a dealership is a treasure trove" of personal and financial information, said Aaron Jacoby, managing partner of Arent Fox law firm in Los Angeles.

    Retired FBI special agent John Iannarelli, a frequent speaker at dealership association meetings on cyber security, said dealerships are targets in part because a lot of money moves in and out of the stores.
    The F&I office is particularly vulnerable, experts said, because it's where dealerships solicit nonpublic personal information such as Social Security numbers for tasks such as completing a finance application, or take credit card numbers for payments.

    Not if, when

    "I don't think it's a matter of not being breached," Linda Robertson, executive director of the Association of Dealership Compliance Officers, said of the threat to dealerships. "I think it's a matter of when."

    Iannarelli, of Scottsdale, Ariz., said one risk for dealerships is business email compromise, where someone hacks into an email system and watches exchanges, including the flow of money, perhaps also sending fake money-wiring instructions.

    Dealership employees have received fraudulent emails that appear to come from someone at the dealership asking them to buy a gift card or from someone claiming to be the controller or CFO and requesting the employee wire money, said Nachbahr, a certified information systems security professional.

    In other attacks, a dealership employee may click on an email link or attachment and a sophisticated ransomware attack can lock up a dealership's computer operations for days or weeks, experts said.

    In some cases, criminals will pretend to be a customer and ask a dealership employee to look at a file, such as a car they want to buy, and ask the employee to log in using Dropbox and use their dealership username and password, Nachbahr said.

    "It requires no hacking, really. You just stand up a fake website. So then dealership employees will go in, they will enter the credentials," Nachbahr said. "Then the cyber criminals will actually log in to their email boxes and set up a bunch of rules to forward all of their email."

    Once they have access to an employee's email, they scour for personal information such as credit card or bank-account numbers.

    Robertson: It’s a matter of when.

    Frequent breaches

    Nachbahr, who said the data theft and hacking examples include some of his clients and other dealerships in the industry he has knowledge of, said successful cyber data breaches and hacking happen every few weeks at dealerships. He called dealerships "low-hanging fruit" for cyber criminals.

    "All of this stuff is totally unreported because no dealer wants their dealership out there with a security incident," he said.

    Dealerships that suffer a data theft may have to pay for a consumer's credit monitoring if data is stolen. Breaches can also lead to be reputational damage and lawsuits, experts said.

    Nearly 84 percent of consumers wouldn't buy another vehicle from an auto retailer if their personal data had been compromised, according to a 2015 survey from auditing company Total Dealer Compliance.

    In the case of the exotic dealership, Nachbahr said cyber criminals gained access to an employee's email, likely by that employee clicking on a link. Then, they sent an email to change the bank account number for the wire, he said. Nachbahr said law enforcement was notified, as were investigators from the dealership's insurance company. But there was no recovery of the money, he said.

    In the other example, keylogger software was downloaded unknowingly onto the F&I employee's computer and had been tracing the keystrokes. The software captured the employee's login and passwords to gain access to the credit bureau, Nachbahr said. The bureau shut off the dealership's access and notified the FBI, he said, and the dealership had to investigate its data system, then prove to the bureau that the dealership understood where the attack originated and that the threat was handled. The cost of the investigation to the dealership was about $150,000, Nachbahr said. The credit bureau also is requiring an annual security audit of the dealership for the next five years.

    Under constant attack

    How common are cyberattacks on dealerships?

    • On an average day, 153 viruses and 84 malicious spam emails are blocked by technology on a dealership’s network.
    • A dealership may experience a high-severity attack, something that could impact operations or lead to data theft, more than 45 times a month.
    • A dealership may be under a critical network attack, such as a virus making a computer or network inoperable, more than 9 times a month.
    • A dealership will allow on average 6 suspicious files — coming through a firewall — onto its network each month.
    • A dealership will allow an average of 212 instances of malicious activity, such as malware or malicious spam, through a firewall each month.
    • Twice a month at each of its client dealerships, on average, a security event is severe enough that Nuspire, a cyber-security company that works with 4,000 dealerships, launches an investigation.
    • Source: Nuspire
    • Ganther: Make things seamless.
    • Singerman: Give payment info.
    • Jordan Ford employees in San Antonio contact shoppers to explain the credit inquiry.
    • Shaules said he enjoys being part of Honda’s conversation about safety.
    • Kyle Shaules’ Civic rolled five times after he hit a puddle and hydroplaned.
    Close calls

    Dealerships also have had close calls. Take Galpin Motors Inc.

    Galpin, a North Hills, Calif., dealership group, in a testimonial on vendor Credit Bureau Connection's website, said it uses Credit Bureau Connection's fraud prevention product to help identify synthetic-identity theft. A sales manager using the tool was able to stop a suspicious deal and notify the dealership's compliance department. It was investigated and referred to law enforcement.

    "While we were able to prevent the thief from obtaining a brand-new vehicle, he had already obtained other luxury vehicles from local dealerships (who I suspect were not using CBC)," Chris Cleveland, compliance director at Galpin Motors, wrote in the testimonial. "Fortunately, the information we provided to the police eventually led to the arrest of two individuals involved in scamming the other dealers."

    Cleveland and other Galpin executives did not respond to requests for comment.

    If a hack or data breach of nonpublic personal information occurs, dealerships need to be ready to act — and quickly, Robertson and other experts said.

    Robertson's Association of Dealership Compliance Officers trains dealership compliance officers on how to conduct their own security risk assessments, create policies, train employees and identify areas that need to be corrected.

    Dealers should have a breach response team ready, as suggested by Federal Trade Commission guidelines on how to handle a breach, Robertson said. She said dealers rarely know they need to do this. The team should include senior leaders and people from the dealership's information technology and legal departments, and possibly a public relations company, Robertson said. They also should have law enforcement contacts.

    Dan Hoban, chief strategy officer for Nuspire, a Commerce Township, Mich., managed security services company that works with 4,000 dealerships and monitors their networks, agreed dealers should map out a breach plan ahead of time, including which people would be pulled in to respond. After an attack, dealerships should deploy best practices to prevent another incident, Hoban said.

    Iannarelli said he was hired by a dealership that suffered a business email compromise that involved the shipment of vehicles for a significant dollar amount.

    "You've got about 24 hours," he said. "If you discover the problem and report it to the authorities, you might be able to get your money back."

    RECOMMENDED FOR YOU
    Consumers in mortgage forbearance could drop out of auto market
    Letter
    to the
    Editor

     

     

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Consumers in mortgage forbearance could drop out of auto market
    Consumers in mortgage forbearance could drop out of auto market
    CFPB nominee vows to enforce fair lending, scrutinize big data
    CFPB nominee vows to enforce fair lending, scrutinize big data
    Enforcement likely from new CFPB administration
    Enforcement likely from new CFPB administration
    Sponsored Content: The Dealer's Guide to Implementing a Digital Sales Experience
    Sign up for free newsletters
    EMAIL ADDRESS

    Please enter a valid email address.

    Please enter your email address.

    Please verify captcha.

    Please select at least one newsletter to subscribe.

    See more newsletter options at autonews.com/newsletters.

    You can unsubscribe at any time through links in these emails. For more information, see our Privacy Policy.

    Digital Edition
    Automotive News 3-1-21
    THIS WEEK'S EDITION
    See our archive
    Fixed Ops Journal
    Fixed Ops Journal 2-8-21
    Read the issue
    See our archive
    FINANCE & INSURANCE REPORT: Sign up to get news, ideas and commentary delivered each Wednesday afternoon on how to maximize profits from your F&I products and services.
    FIRST SHIFT WITH JENNIFER VUONG: Sign up for our morning newscast and get the news you need to start your day in a quick 4-minute video.
    Get Free Newsletters

    Sign up and get the best of Automotive News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today

    Get 24/7 access to in-depth, authoritative coverage of the auto industry from a global team of reporters and editors covering the news that’s vital to your business.

    Subscribe Now
    Connect With Us
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter

    Our mission

    The Automotive News mission is to be the primary source of industry news, data and understanding for the industry's decision-makers interested in North America.

    AN-LOGO-BLUE
    Contact Us

    1155 Gratiot Avenue
    Detroit, Michigan
    48207-2997

    (877) 812-1584

    Email us

    Automotive News
    ISSN 0005-1551 (print)
    ISSN 1557-7686 (online)

    Fixed Ops Journal
    ISSN 2576-1064 (print)
    ISSN 2576-1072 (online)

    Resources
    • About us
    • Contact Us
    • Media Kit
    • Subscribe
    • Manage your account
    • Reprints
    • Ad Choices Ad Choices
    • Sitemap
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Automotive News
    Copyright © 1996-2021. Crain Communications, Inc. All Rights Reserved.
    • HOME
    • NEWS
      • Dealers
        • Access F&I
        • Fixed Ops Journal
        • Marketing
        • Used Cars
        • Retail Technology
        • Sales
        • Best Practices
        • Dealership Buy/Sell
        • NADA
        • NADA Show
      • Automakers & Suppliers
        • Automakers
        • Manufacturing
        • Suppliers
        • Regulations & Safety
        • Executives
        • Talk From The Top
        • Leading Women Network
        • Guide to Economic Development
        • PACE Awards
        • Management Briefing Seminars
        • World Congress
      • News by Brand
        • Aston Martin
        • BMW
          • Mini
          • Rolls-Royce
        • Daimler
          • Mercedes Benz
          • Smart
        • Ford
          • Lincoln
        • General Motors
          • Buick
          • Cadillac
          • Chevrolet
          • GMC
        • Honda
          • Acura
        • Hyundai
          • Genesis
          • Kia
        • Mazda
        • McLaren
        • Mitsubishi
        • Nissan
          • Infiniti
        • Stellantis
          • Alfa Romeo
          • Citroen
          • Chrysler
          • Dodge
          • Ferrari
          • Fiat
          • Jeep
          • Lancia
          • Maserati
          • Opel
          • Peugeot
          • Ram
          • Vauxhall
        • Renault
        • Subaru
        • Suzuki
        • Tata
          • Jaguar
          • Land Rover
        • Tesla
        • Toyota
          • Lexus
        • Volkswagen
          • Audi
          • Bentley
          • Bugatti
          • Lamborghini
          • Porsche
          • Seat
          • Skoda
        • Volvo
        • (Discontinued Brands)
      • Cars & Concepts
        • Virtual reveals (Sponsored)
          • MITSUBISHI: 2022 Outlander
          • NISSAN: 2022 Pathfinder and 2022 Frontier
          • GENESIS: 2021 GV80
          • KIA: 2021 K5
          • LEXUS: 2021 IS
          • NISSAN: 2021 Rogue
          • TOYOTA: 2021 Venza and 2021 Sienna
        • Auto Shows
        • Future Product Pipeline
        • Photo Galleries
        • Car Cutaways
        • Design
      • Coronavirus Coverage
      • China
      • Shift
      • Mobility Report
      • Special Reports
      • Digital Edition Archive
      • This Week's Issue
    • OPINION
      • Blogs
      • Cartoons
      • Keith Crain
      • Automotive Views with Jason Stein
      • Columnists
      • China Commentary
      • Editorials
      • Letters to the Editor
      • Send us a Letter
    • DATA CENTER
    • VIDEO
      • AutoNews Now
      • First Shift
      • Special Video Reports
      • Weekend Drive
    • EVENTS & AWARDS
      • Events
        • Congress Conversations
        • Retail Forum: NADA
        • Canada Congress
        • Europe Congress Conversations
        • Leading Women Conference
        • Fixed Ops Journal Forum
        • ANE Shift
        • Shift: Mobility at a Crossroads
        • Shift: The Future of Mobility (CES)
      • Awards
        • 100 Leading Women
        • 40 Under 40 Retail
        • All-Stars
        • Best Dealerships To Work For
        • PACE Program
        • Rising Stars
        • Europe Rising Stars
    • JOBS
    • AN Solutions
    • +MORE
      • Leading Women Network
      • Podcasts
        • Shift: A Podcast About Mobility
        • Special Reports Podcasts
        • Daily Drive Podcasts
      • Webinars
      • In the Driver's Seat
        • AAM
        • DealerPolicy
        • Gentex
        • Reputation.com
        • Ricardo
        • Ricardo
      • Publishing Partners
        • Allstate: Want more from your F&I?
        • Ally: Navigating the future of automotive retailing
        • Amazon Web Services: Any place, any time, any channel
        • Amazon Web Services: The power of the cloud
        • Amazon Web Services: Universal translator: Harnessing sensor data to build better automotive software
        • Epic Games: Transforming the auto industry with digital assets
        • FTI Consulting: Crisis as a catalyst for change
        • Google: 5 trends shaping the auto industry's approach to a new normal
        • IHS Markit: Automotive loyalty in the wake of the COVID-19 recession
        • IHS Markit: Autonomous vehicles: Automotive and transportation disruption
        • IHS Markit: COVID-19: The future mobility delusion
        • Level5: 2020 Automotive E-Commerce Report
        • Naked Lime: Bring social reputation together as part of big-picture marketing
        • Wells Fargo Auto: Switching gears from LIBOR to SOFR
        • Ally: Do It Right
        • DealerSocket
        • Deloitte: Cyber everywhere: Preparing for automotive safety in the face of cyber threats
        • Facebook: The road to a zero-friction future
        • Guide To Economic Development
        • PayPal Credit: How consumer financing helps drive sales for online auto parts retailers
      • Classifieds
      • Companies on the Move
      • People on the Move
      • Newsletters
      • Contact Us
      • Media Kit
      • RSS Feeds