WASHINGTON — The Federal Trade Commission announced it has reached a consent agreement with LightYear Dealer Technologies, better known to the U.S. auto retail industry as DealerBuilt. The action is related to a 2016 incident in which a hacker accessed the records of about 12.5 million customers who had done business with 130 DealerBuilt dealerships nationwide.
“The firm’s poor data security practices led to a breach that exposed the personal information of millions of consumers,” the FTC’s statement reads, in part, noting the company “failed to implement readily available and low-cost measures to protect personal information it obtained from its auto dealer clients.”
The hacker posted a 69,283-customer sampling online over a 10-day period. The breach was initially discovered by one of the affected customers, spurring investigations at the federal and state levels. FTC officials said personally identifiable information such as names, dates of birth, Social Security numbers, and bank accounts was “stored and transmitted in clear text, without any access controls or authentication protections.”
The breach was eventually traced back to a DealerBuilt employee who connected an unsecured external storage device to the company’s backup network and left it there for 18 months. “The company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the vulnerability,” according to FTC officials.
The consent agreement precludes DealerBuilt from transmitting or storing personal information until “reasonable data access controls” that meet the standards of the Gramm-Leach-Bliley Act’s Safeguards Rule are confirmed to be in place. Any violation of the agreement could result in severe financial penalties.
DealerBuilt CEO Michael Trasatti told Automotive News the company acted quickly when the breach was discovered three years ago and has been attacking potential vulnerabilities ever since.
“We take securing customer data seriously,” Trasatti said. “We work to continuously improve our security.”
To read the FTC’s statement in its entirety, click here.