Poor data security practices at a software company that supplies services to auto dealers led to a breach that risked exposing the personal information of around 12 million consumers, according to allegations from the US Federal Trade Commission (FTC).
The regulator alleged that LightYear Dealer Technologies, trading under the name DealerBuilt, failed to implement readily available and low-cost measures to protect the personal information it obtained from its auto dealer clients.
As a consequence, the FTC alleged, there was a breach of DealerBuilt’s backup database beginning in late October 2016 over a 10-day period, when a hacker gained access to the unencrypted personal information of about 12.5 million consumers stored by 130 DealerBuilt customers.
The hacker downloaded the personal information of more than 69,000 consumers, including their social security numbers, driver’s license numbers, and birthdates, as well as wage and financial information.
DealerBuilt did not detect the breach until it was notified by one of its auto dealer customers, who demanded to know why its customer data was publicly available on the Internet.
The types of personal information stolen from DealerBuilt - names, addresses and social security numbers - are often used to commit identity theft and fraud, the FTC noted.
To settle the FTC allegations, the company agreed to take steps to better protect the data it collects.
DealerBuilt develops and sells dealer management system software and data processing services to auto dealers across the country.
The software collects large quantities of personal information about dealership consumers, while its payroll software collects similar information from dealership employees, along with bank account information.
The FTC alleges that the personal data DealerBuilt collected was stored and transmitted in clear text, without any access controls or authentication protections.
The regulator claims a DealerBuilt employee connected a storage device to the company’s backup network without ensuring that it was securely configured, leaving an insecure connection for 18 months.
The company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the vulnerability, according to the complaint.
The FTC alleges that DealerBuilt failed to take other steps to protect personal data stored on its network such as developing, implementing, or maintaining a written information security policy and training for employees; using security measures to monitor its systems and assets; and imposing reasonable data access controls.
As part of a proposed settlement with the FTC, DealerBuilt is prohibited from transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects.
The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years. The assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document reviews.
The order also requires a senior corporate manager responsible for overseeing DealerBuilt’s information security program to certify compliance with the order every year and grants the FTC the authority to approve the assessor for each two-year assessment period.
FTC chairman Joe Simons said: “Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices.
“The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third-party assessor’s accountability and providing the FTC with additional tools for oversight.”
The US response comes as the UK’s Information Commissioner has announced the first substantial fines for data security breaches under new EU General Data Protection Regulations, which allow for penalties of up to 4% of annual global turnover.
They include a record-breaking £183 million ($228 million) fine for British Airways over an incident where hackers harvested details of around 500,000 customers, and a £99 million ($123 million) penalty for the Marriott hotel chain, which disclosed that 339 million guest records globally had been exposed during a cyber incident, of which seven million involved UK citizens.
Referring to the US settlement, James Tew, chief executive officer of vehicle retailing platform iVendi, said: “In this case, the company at fault has only been punished by putting in place a range of future measures surrounding security. It is difficult to see the Information Commissioner in the UK being as lenient.
"The data lost presumably belonged to individual dealers and the customers concerned will have had to be informed. The loss of reputation of all the parties involved must have been substantial and this will inevitably have a financial impact.”