According to a June 12 settlement announced by the Federal Trade Commission, back in 2015 an employee of Iowa-based LightYear Dealer Technologies, the parent company of DealerBuilt, plugged in a storage device to the company’s backup network in order to increase storage capacity. However, the employee failed to ensure that the device was securely configured, thereby providing an open, insecure port into the company network, which was open for 18 months.
Subsequently, a hacker was able to penetrate the network and gain access to the company’s unencrypted backup data, including personal information — such as Social Security and drivers’ license numbers — of about 12.5 million consumers, and the entire backup directories of five dealerships. DealerBuilt failed to detect the breach until an auto dealer’s customer complained about personal information becoming public on the internet, and a reporter told the company about the security vulnerability.
Read the full story on our sister site, Auto Finance Excellence, here.