Dealer-FX warns customers about alleged Xtime vulnerability that could potentially expose customer data
The following email was forwarded to DataBreaches.net by the recipient:
From: Privacy Officer [mailto:[email protected]] Sent: Thursday, April 28, 2011 10:57 AM
To: Privacy Officer
Subject: URGENT SECURITY CONCERN
We are writing to warn you of our recent discovery of a serious security defect in one of our competitor’s systems. The defect, which is in an Xtime system, may compromise your customer database and possibly your own Dealer Management System (“DMS”). As a result of this defect, members of the public are able to gain unrestricted access to ALL of your customer lists, including names, addresses, VIN’s, email addresses, and telephone numbers.
Additionally, because the defect allows for the display of a dealer’s DMS system type, modem dial-in number, and DMS login and password information, we believe that, in some cases, this could also enable members of the public to access your dealership’s customer information and other business information.
As you are a valued client, Dealer-FX’s primary concerns are for your security and the integrity of our relationship. This is why we are coming to you and all of our other clients directly with this information. We want to assure you that we discovered the defect inadvertently; we did not use hacking or any other unscrupulous means. We have reported the defect directly to Xtime Inc., and given them the information necessary to take immediate and appropriate action.
We are uncertain as to the damage (if any) that may have been caused to you or your customers as a result of the security defect. However, given the seriousness of this issue, we recommend that you contact Xtime if you have concerns about the extent of your exposure and/or the security of your data and systems. And please do not hesitate to call us if you’d like to discuss this matter further.
Sandor Segal | Director of Operations and Privacy
Dealer-FX Group, Inc.
Xtime’s web site describes Xtime as
the leading provider of Web Scheduling and Customer Relationship Management (CRM) solutions for automotive service departments in the US. With over 3,000 dealerships enrolled and over 24 million appointments booked, Xtime is well positioned to deliver the innovative service solutions required for today’s market.
A spokesperson for Xtime informs DataBreaches.net that they received notification from Dealer-FX minutes before Dealer-FX sent its email warning to customers. Xtime started investigating the reported vulnerability immediately and by 9:45 am today, had modified perms for a feature that had enabled limited access to customer data. According to the spokesperson, only a small number of dealerships might have been affected, but they are still investigating the problem. The spokesperson confirmed that customers’ names, vehicle descriptions (which includes VIN) and email addresses were potentially viewable, but Xtime’s investigation has not yet confirmed or disconfirmed whether any addresses or telephone numbers were viewable. So far, they have identified only one IP address that may have accessed a limited amount of data, but it is not clear whether that IP is associated with a Dealer-FX employee or not.
Xtime plans to contact any customers who may have been affected after they get more information from their investigation. Their spokesperson points out that so far, there is no indication that there was any mass collection of customer data, nor any confirmation of all of Dealer-FX’s claims, including claims about DMS vulnerability to access. The company plans to provide more information when it’s further into its investigation.