The news this week of a settlement between Equifax and the U.S. government as well as 48 states that will see the credit reporting giant paying $700 million in fines to consumers whose personal data was exposed due to improper security reminds us that data security remains a problem even for the largest companies. For some smaller organizations, it’s proving to be something of a worst nightmare.
Dealer software company LightYear Dealer Technologies, LLC, which also does business as DealerBuilt, has been accused by the Federal Trade Commission (FTC) of violating the provisions of the Standards for Safeguarding Customer Information Rule, which is part of the Gramm-Leach-Bliley Act.
The software, which helps dealers with F&I processes, fixed ops management, accounting, parts inventory and payroll, is used across the U.S. by approximately 180 dealerships. Customers can either license the company’s DMS solution and have DealerBuilt host their data, or they can run the software on their own premises, host their data locally and use DealerBuilt as a data backup service.
The complaint against the company originates in 2015, when a DealerBuilt employee purchased a storage device to increase available backup storage and failed to ensure that the device was properly secured. This failure created an open connection port that allowed transfers of personal information for approximately 18 months. During this time, DealerBuilt conducted no vulnerability scanning, penetration testing, or other diagnostics to detect the open port.
As a result, in 2016, a hacker gained access to the unencrypted personal information of about 12.5 million consumers stored by 130 DealerBuilt customers. The hacker attacked DealerBuilt’s system on several occasions, downloading the personal information of 69,283 consumers, or the entire backup directories of five customers, gaining access to names, addresses, telephone numbers, social security numbers, driver’s license numbers, and dates of birth of customers, as well as wage and financial account information for dealership employees.
As a result of the breach, dealers have been left to cope with the fallout. The stolen personal data could easily be used for identity fraud crimes.
“Respondent’s failures to provide reasonable security for the sensitive personal information about dealership consumers and employees, and business financial information, has caused or is likely to cause substantial injury to consumers and small businesses in the form of fraud, identity theft, monetary loss, and time spent remedying the problem,” wrote the FTC in the complaint.
As part of a proposed settlement with the FTC, DealerBuilt cannot transfer, sell, share, collect, maintain or store personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects. The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years.