Auto Dealer Software Provider Settles FTC Data Security Allegations
The following is a press release issued by the Federal Trade Commission (FTC) that relates to a data security incident — a misconfiguration — discovered by MacKeeper researchers in 2016 that was previously noted on this site, including a subsequent settlement between DealerBuilt and the New Jersey Attorney General’s Office. From the wording of the release, it sounds like the FTC wants us to know that it is trying to avoid a repeat of what happened when the Eleventh Circuit held that they weren’t specific enough. What I might take away from this one, though, is that all the companies that have misconfigured databases or backups should be on notice that your failure to configure properly and take simple steps to audit or check your security may result in federal enforcement action that can be costly.
An Iowa company that sells software and data services to auto dealers has agreed to take steps to better protect the data it collects, to settle Federal Trade Commission allegations that the firm’s poor data security practices led to a breach that exposed the personal information of millions of consumers.
In a complaint, the FTC alleges that LightYear Dealer Technologies, LLC (doing business as DealerBuilt) failed to implement readily available and low-cost measures to protect personal information it obtained from its auto dealer clients.
“Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” said FTC Chairman Joe Simons. “The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third party assessor’s accountability and providing the FTC with additional tools for oversight.”
DealerBuilt develops and sells dealer-management system software and data processing services to auto dealers across the country. The software collects large quantities of personal information about dealership consumers, including names, addresses, birth dates, and Social Security numbers. Its payroll software collects similar information from dealership employees, along with bank account information. The FTC alleges that the personal data DealerBuilt collected was stored and transmitted in clear text, without any access controls or authentication protections.
According to the FTC’s complaint, a DealerBuilt employee connected a storage device to the company’s backup network without ensuring that it was securely configured, leaving an insecure connection for 18 months.
The company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the vulnerability, according to the complaint. The FTC alleges that DealerBuilt failed to take other steps to protect personal data stored on its network such as developing, implementing, or maintaining a written information security policy and training for employees; using security measures to monitor its systems and assets; and imposing reasonable data access controls.
The FTC alleges these failures led to a breach of DealerBuilt’s backup database beginning in late October 2016 over a 10-day period, when a hacker gained access to the unencrypted personal information of about 12.5 million consumers stored by 130 DealerBuilt customers. The hacker downloaded the personal information of more than 69,000 consumers, including their Social Security numbers, driver’s license numbers, and birthdates, as well as wage and financial information. DealerBuilt did not detect the breach until it was notified by one of its auto dealer customers, who demanded to know why its customer data was publicly available on the Internet, according to the complaint. The types of personal information stolen from DealerBuilt—names, addresses and Social Security numbers—are often used to commit identity theft and fraud, the complaint notes.
The FTC alleges that DealerBuilt violated the FTC Act’s prohibition against unfair practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program.
As part of the proposed settlement with the FTC, DealerBuilt is prohibited from transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects. Among other things, the order requires DealerBuilt to implement specific safeguards that address the allegations in the FTC complaint.
The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. In addition, the order requires a senior corporate manager responsible for overseeing DealerBuilt’s information security program to certify compliance with the order every year. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.
The Commission vote to issue the proposed administrative complaint and to accept the consent agreement with DealerBuilt was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.