If you bought a car in the last few years, it is possible that your data is available for sale on the black market.
Names, addresses, phone numbers and socials for both customers and employees for over a hundred car dealerships were exposed. For how long and to whom is unknown.
The system that got hacked is a centralized system by DealerBuilt. They provide management software for car dealerships around the country. The system manages sales, customer relations and employee payroll for these dealerships.
Mackeeper researchers discovered 128 dealerships backing their data up to the cloud without any encryption or security.
The database was found on the search engine Shodan that is often used for finding Internet of Things devices.
The server had port 873 open. Port 873 is often used for the rsync protocol. Rsync is used to synchronize databases, say, between a car dealership and a central server.
A few of the databases were shared with ZDNet and they verified the data was real.
The best guess as to the number of customer and employee records affected is in the millions, possibly around 5 million.
The car dealerships that ZDNet spoke with were somewhat dismayed, to be polite.
Apparently, the system has been secured now, but the company is keeping quiet about the breach. While I am not an attorney and don’t even play one on the Internet, it would seem like this breach is reportable and probably in a number of different states.
The bigger point here is that while cloud based solutions are cool, it is still up to the customer to make sure that the security of the cloud systems that they use is up to snuff.
While it is possible that the contracts with DealerBuilt make DealerBuilt responsible for all data breaches, but I doubt that.
In fact, more than likely, it is the other way around – that DealerBuilt is not responsible for anything and the dealer is responsible for everything.
For an organization like a car dealership, an organization like DealerBuilt probably seems like a safe bet. They probably have hundreds if not thousands of customers, so a dealership figures it would be safe.
In the mean time the dealers are caught in the middle of a breach and DealerBuilt is letting them swing in the breeze by not saying anything or even admitting that there is a breach.
For all companies using line of business cloud based services, having a vendor risk assessment program to analyze the risks and make informed decisions might be a really good plan.
In the mean time, there may be 5 million customers and employees of over a hundred car dealerships that are victims of a data breach.
Information for this post came from ZDNET.