Large data breaches have become an almost daily occurrence. Health insurer Anthem revealed a breach in February that exposed an astonishing 80 million patient and employee records. This was followed by another health insurance company, Premera BlueCross-BlueShield announcing in March that it had discovered a breach in January that affected as many as 11.2 million subscribers.
Many security breaches are not made public for several months after they have been discovered. This gives the breached companies an opportunity to secure their systems. So while you are reading this, it’s quite likely that another large data breach has already occurred and is pending announcement.
Securing data at the dealer level is the responsibility of everyone that touches that data, not just the dealers themselves. OEMs and DSPs as well as third party vendors must all play a role in preventing embarrassing and costly breaches. Dealerships handle and store large quantities of PII and are tempting targets due to the reasons listed below.
Dealers As The Next Victims
With so many recent large targets including Sony, Target, the U.S. government, and large banks, it could be easy for a small or medium sized dealer to think that they do not represent a “target of opportunity” for hackers. In fact, the opposite is true. Below are two big reasons.
The first is that dealership data systems are a treasure trove of personally identifiable information including names, addresses, emails, Social Security numbers, credit card information and other types of financial information gathered during the F&I process. Strange as it may seem, a dealership may have as much or more of your PII than your financial institution.
Secondly, dealers have often lacked the financial and technical resources to provide first rate data security. Nowhere is this more evident than the outdated versions of computer software and hardware (or to be politically correct, “legacy systems”) still in use by many dealers. Legacy systems were constructed before the current wave of data breaches so they are inherently less secure, and due to their age, they are often no longer supported by vendors.
Overall, dealerships have multiple points of potential vulnerabilities. Below, we’ve listed some of what we believe to be the largest potential weaknesses, but certainly others exist.
Data System Vulnerabilities
Microsoft XP support ended in April of 2014. Many ATM’s used XP and a breach in 2013-2014 cost over 100 European banks $1.2 billion (U.S.D.) in losses. Many retail locations including fast food, clothing and convenience stores still have XP as their operating system. Next time you are out shopping, count how many Windows XP screen savers that you see. Truth is, many dealers are still using XP, long after it has been sunsetted.
Older versions of UNIX/Linux are vulnerable as well. A large scale vulnerability known as the Bourne-Again Shell (Bash) ‘Shellshock’ was discovered in 2014. This vulnerability gives intruders unprecedented access to these systems. A fix was quickly produced, but older systems may not be compatible with the fix or be supported by the initial vendor. Many dealer systems are based on Unix/Linux as well as Windows XP.
Lax Internal Policies
Not having clearly defined data security policies that are rigorously implemented is a sure way to open the door to data thieves. A strong data-security program will address personnel, IT infrastructure, suppliers and third-parties. This should begin with a thorough audit and assessment of existing IT-related security issues and identifying the possible risks. These could include company-owned laptops with sensitive customer financial data being lost or stolen, or reviewing the common practice of “bring your own device” (BYOD).
Dealers should also consider contracting with an outside security firm to provide audits, system vulnerability scans, and ensuring that the dealership is compliant with ever changing security regulations.
Third Party Vendors
Target’s massive breach was apparently caused by someone gaining access to a 3rd party vendor used by many Target stores. This then provided the hackers with a back door into the entire Target payment processing system.
Allowing 3rd party vendors access to dealer information systems has been a common practice for decades, but must now be placed under extreme scrutiny to ensure that a dealership is secure. Just consider how many 3rd party vendors may have some access to a dealerships systems, especially 3rd party software vendors. The best firewalls and anti virus software are useless when someone has been granted critical internal access. These 3rd party vendors are essentially already inside the firewall at that point.
How Much Does A Data Breach Cost?
While the cost of upgrading systems, implementing policies and possibly hiring outside security consultants may seem high, they pale in comparison to the cost of a breach. The Ponemon Institute estimates that the average data breach cost a company $3.5 million dollars in 2014. This is up 15% from the year before. Other studies by IBM say that the costs could be as high as $5.9 million. These costs plus possible criminal penalties could be enough to financially destroy a dealership.
OEMs should also take notice. While dealerships are technically independent businesses, the public often perceives the dealership as an extension of a brand. In fact, an OEM’s effort to push dealers to modernize and unify their dealership and messaging reinforce that perception. Fair or not, a well publicized dealership breach will create a black eye for an OEM, especially if multiple breaches occur.
Steps To A More Secure Dealership
Dealers should get a full accounting of which 3rd parties have access to their systems and limit their access as much as possible. This should be available from their DSPs. Third party vendors that have system access are responsible for 33% of all data breaches.
In addition, dealers should require 3rd party vendors to provide documentation regarding their own policies concerning data security, compliance with relevant laws and industry requirements, breach response, indemnification, and insurance for data breaches.
Dealers must convey to their employees that data security is everyone’s responsibility. This should be followed up by upgrading their hardware and software and ensuring that rigorous internal security policies are created, enforced and periodically reviewed.
Dealerships must demand that all of their software vendors supply them with the most up to date and secure systems and supply them with proof that any data transfers or access is being handled in the most secure manner possible. With dealership’s coming to rely upon expanded software systems and capabilities, this is absolutely essential. When choosing new software, make sure that it integrates with your current system and the integration design is robust and secure.
Lastly, only a recognition by the dealers, OEMs and DSPs that data security is a clear and present danger to their businesses will cause the shift that is necessary to secure everyone’s vital data and create peace of mind. Due to the complex and fluid nature of data and data transmission, all involved must recognize that this requires an integrated effort.