Hackers are increasingly targeting auto dealers

_________________________________________________________________________________________

Update as of July 11, 2024

In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace.

Car buyers who recently bought a car from a dealer using CDK software should assume their information has been breached. Information that could be compromised includes social security number, employment history, income and current or former addresses. Customers should contact the dealer to confirm if they use CDK and, if so, consider freezing their credit.

Get support from IBM X-Force

_________________________________________________________________________________________

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.

The study also found that dealerships experienced an average of 16 days of downtime after a ransomware attack, with an average payout of $228,125. However, the biggest impact of attacks on dealerships is likely the impact on customer loyalty. Some 84% of customers say they would not buy another vehicle from a dealership if a breach compromised their data.

With 36% of data breaches at dealerships related to phishing, it’s not surprising that dealerships rated phishing as their top concern. Other top threats included ransomware, lack of employee awareness, theft of business data, PC viruses or malware and stolen or weak passwords.

Increased vulnerabilities at dealerships

Attacks related to phishing schemes are typically related to user error. According to the National Automobile Dealers Association Workforce Study, the annual turnover rate across all dealership positions is 24%. While this rate has gone down in recent years, dealerships still see relatively high employee turnover. This makes training and compliance a continuing challenge.

Dealerships typically also have unsecured wireless networks for customers to use while at the dealership. While this is a nice perk for customers, especially those waiting for their cars to be serviced, hackers can more easily gain access to customer data through unsecured networks. By moving to guest networks and providing passwords, dealerships can provide more protection and decrease risk.

The CDK Global study found that almost 60% of dealerships plan to increase their IT infrastructure investments. Top investments included antivirus and malware protection tools, which saw a 31% increase from 2021. According to the report, dealers also are updating cybersecurity measures that will protect them from top threats such as phishing and ransomware. Other planned investments reported by dealerships include securing endpoint devices, investing in cybersecurity insurance and continued staff training.

Dealerships must comply with safeguards rule by june 2023

In addition to the increased threats, many dealerships are focusing on cybersecurity to comply with the FTC Safeguards Rule. While the rule was initially planned to be active starting in December 2022, dealerships got an extension until June 2023 to meet the requirements. As a non-bank financial institution, auto dealerships specifically fall under the Safeguards Rule, which requires businesses to develop, implement and maintain a comprehensive security program to keep their customers’ information safe.

To meet the requirements, dealerships must:

• Designate a qualified individual to oversee their information security program
• Develop a written risk assessment
• Limit and monitor those who can access sensitive customer information
• Encrypt all sensitive information
• Train security personnel
• Develop an incident response plan
• Periodically assess the security practices of service providers
• Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.

Even with the six-month extension, dealerships must act quickly to meet the new regulations. The requirements for compliance take careful planning and time for implementation. By beginning today, your dealership will be ready both to meet the new regulations and reduce your vulnerability.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

Continue Reading