Reynolds and Reynolds recently sat down with industry experts to discuss how changes to the FTC Safeguards rule will impact auto dealers. After talking through the risks of cyberattacks, the panel addressed the amendments and answered pressing questions from dealers. With the compliance deadline of December 9, 2022, it’s important to be educated on cybersecurity and prepared for the amendments to take place. With the compliance deadline of December 9, 2022, it’s important to be educated on cybersecurity and prepared fro the amendments to take place. To see the full Q&A sessions, visit https://www.reyrey.com/cp/safeguards-and-cybersecurity-event-live.
FTC Safeguards and Cybersecurity Q&A
Shawn Leibold: Well, good morning and welcome to our Q&A session on FTC Safeguards and cybersecurity. My name is Shawn Leibold. I'm director of Industry Relations here at Reynolds and Reynolds, and I'm joined by a panel of great industry experts. I want to start off with Brad Holton, founder of Proton Dealership IT. Thank you, Brad, for joining us this morning.
Brad Holton: Thank you so much for having me.
Shawn Leibold: Also joined by Nikhil Kalani. He's our chief information security officer here at Reynolds and Reynolds. And also graciously joining us via Zoom is Brad Miller, who's our chief regulatory counsel and digital affairs and privacy officer at NADA. So good morning, gentlemen, and thank you again for joining us. So my flip it to you, Brad. So from a proton site, I know you gave one example earlier about the TV truck pulling in. The dealer called you, can you walk us through what that process would look like in a traditional fashion?
Brad Holton: We actually will kind of back up and say, okay, we got to call it on that one. I think it was a Monday morning, 7:38 a.m., and it was actually a dealer group that we had given a proposal to earlier that June. This was in December, I think. So we'd kind of been in touch with them and they called and said, okay, so that stuff you told us that could happen if we didn't completely get everything in place and overhaul. This is what you meant. And I said, Yeah, this is what we're talking about. So all we knew at that point was something was wrong. Not a single computer worked. All the servers, I mean, everything email was down, everything was down. So we got engaged around 7:30 and, you know, wake everybody up, get everybody go on, you know, and let's get the team going. So, you know, we sent guys to the to all the stores and tried to figure out, you know, as fast as we could what was going on. We were able to actually as we were cleaning things up, we were able to trace it back to see how it actually happened. And it had happened through that same email platform I mentioned earlier where a finance manager had gotten an email he thought came from the controller, clicked on it, saw a little thing pop up, didn't think much about a little bit, just a little rectangle popped up and then went away. That was it was on Thursday, about 4:35 when he clicked on that. And by 4:39 we were able to see that things had already been downloaded. His computer, they were already scanning and they already dumped all of his email, already dumped his passwords, all that sort of stuff. By Friday, we could see that it was reaching out to other computers, scanning the network once again, fully automated. Still, no, nobody was involved. You know, it had already kind of started to penetrate some of the servers. And then Saturday evening we were able to see in the logs notes that showed that people were actually logging in now from overseas.
We knew it was Eastern Europe. Some of the tools they used had Russian alphabet in it. So we kind of had a pretty good idea who are hacker was. And then once we were able to see the file extensions, the way they encrypted things, we're able to actually drill right down. It was actually a group that was affiliated with the FSB in Russia, was called Grimm Spider was their online moniker. They went by and it was figured all that out but the dealer what he experienced from Monday morning until we'll call it Thursday he was pretty much not doing anything at all. So we overnighted, I think 200 PCs. We started wiping PCs that we could started locking down servers. He basically every single device they had had been encrypted. When I say encrypted, they actually encrypted the operating system itself, the user files. So when you tried to try to turn the computer on and log in, it would just air out. So nothing worked at all. All the servers were gone. Unfortunately, they did not have good backups out of all of their stuff. They might have had 10% backed up 15%, something like that. So we did lose a ton of data. Luckily, they did not exfiltrate data ahead of time, so we were able to go back and look through all the logs, look at the firewall logs, look at all the traffic going out. And we were able to determine that they did not package any data and exfiltrate it out in that case. So we didn't have that double extortion situation. We just had the initial extortion. We wound up destroying just basically everything and starting over. We lit a match, just rebuilt everything. It took about three weeks for them to be 100% operational. So by Thursday, we had, you know, maybe two PCs in each service drive, you know, one or two PCs in sales, one or two PCs in finance. We had each business function restored, but it was limping along. And even then it was very painful. You know, email had to be completely rebuilt from scratch. It was all gone. So, you know, it was just one thing after another. We had to put back together and we had to prioritize who was going to get what. And, you know, just simple things. You know, we think about like office, reloading office and all the PCs and then, you know, all the saved passwords you had on the PCs because everybody just put their passwords in Chrome. And, you know, it was just all these pain points that it took to get them back to work. It's a very long process.
Nikhil Kalani: I'll add a little bit more to what Brad said here. You know, once an attack happens, now's the time where you can't afford to hesitate. And how are you going to respond to the fluency of response is needed. So working with a professional who's done this dozens and dozens or hundreds of times and has got the fluency in the tools, no hesitation. That's what's needed during an incident response. It's very difficult otherwise for a business to kind of figure this out. This is the first time I've ever seen this happen.
Shawn Leibold: We've said that, you know, if a dealership has the right infrastructure, the right IT infrastructure in place, the cybersecurity pieces in place, you know, how could these attacks be mitigated if they can or can't they or I mean, they think they're good, right?