DMS Company Settles with FTC Over Data Breach

Given the nature of the auto sales business, most dealers keep at least some sensitive personal information in their files—names, Social Security numbers, bank account or credit card information, policy numbers, VIN numbers and driver’s license numbers — that identifies customers or employees.

While keeping this information is necessary to help customers apply for financing, insure their vehicles and make down payments, it’s precisely the kind of information fraudsters would love to access to. A single security breach can mean losing the trust of your customers and even an expensive lawsuit, or fine by the federal government.

For this reason, safeguarding customers’ personal data is good for business. Not everyone is an IT expert and ensuring that sensitive data is protected to the best of existing technology’s ability can be a challenge that not everyone is equipped for. Many dealers trust their dealer management system solutions providers have the matter in hand, but this isn’t always the case.

LightYear Dealer Technologies, LLC, an Iowa-based company that does business as DealerBuilt, makes what it calls a “user-friendly dealer management system that liberates auto dealers to choose how best to modernize.” The solution includes vehicle inventory management, customized reporting, parts management, F&I tools, trade-in process management, forms and more. Unsurprisingly, it stores a lot of personal customer information. The Federal Trade Commission (FTC) has alleged that the company did too little to protect that information.

DealerBuilt recently settled with the FTC over allegations that the company’s poor data security practices led to a breach that exposed the personal information of millions of vehicle buyers. The company, according to the FTC, failed to implement readily available and low-cost measures to protect personal information it obtained from its auto dealer clients and their customers.

Specifically, the commission alleges that a DealerBuilt employee connected a storage device to the company’s backup network without ensuring it was securely configured, leaving an insecure connection for 18 months, and that the personal information of customers and employees was stored and transmitted in clear text, without any access controls or authentication protections. As a result, a hacker was able to gain access to the unencrypted personal information of about 12.5 million consumers stored by 130 DealerBuilt customers. The breach was discovered by one of DealerBuilt’s dealer customers, who found the personal information of its own customers on the Internet.

“Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” FTC chairman Joe Simons said in a news release. “The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third-party assessor’s accountability and providing the FTC with additional tools for oversight.”

According to the terms of the settlement, DealerBuilt is prohibited from transferring, selling, sharing, collecting, maintaining or storing personal information until it builds an up-to-date information security program designed to protect customer data, and obtain third-party evaluation of its security protocols.