Cybersecurity Snapshots #33 - Car Dealerships Need to Take Cybersecurity More Seriously

Cybersecurity Snapshots #33 -

Car Dealerships Need to Take Cybersecurity More Seriously

Automotive dealerships are becoming targeted more frequently by adversaries because they realize that many are easy targets and hold a large amount of confidential customer data. Security researchers at CDK Global found that 85% of dealership IT employees surveyed reported that their dealership had suffered a cyberattack in the last two years. The researchers noted that auto dealer IT networks intercept around 153 viruses and 84 malicious spam emails daily. Many surveyed dealerships (70%) do not have up-to-date antivirus software and researchers found that a successful ransomware attack against a dealership usually causes a 16-day downtime.

In 2019 Arrigo Automotive Group was hit with a ransomware attack that halted business for several days. In August 2020 a German dealership belonging to the Volkswagen Group had fallen victim to the “Conti” ransomware group. In total, 8,325 invoices in PDF form were stolen and published on a leak site, exposing details that could be used in scamming or phishing attacks against the clients. Also, these invoices could help Business Email Compromise (BEC) actors target Volkswagen. In February 2021, Kia Motors America was hit with a ransomware attack that caused a nationwide IT outage affecting internal, dealer, and customer-facing systems. The DoppelPaymer ransomware gang left a ransom note stating that a "huge amount" of data was stolen and would be released in 2-3 weeks if Kia Motors America did not pay the ransom. On January 11, 2022, one of Europe's biggest car dealers, Emil Frey, was hit by a ransomware attack. The Swiss company showed up on the list of victims of Hive ransomware on February 1. One of the UK's largest family-run car dealerships suffered a serious ransomware attack in July which resulted in data theft and the damage "beyond repair" of some core systems. Holdcroft Motor Group was earlier hit with a ransom demand after hackers stole two years' worth of data, including staff personal information. Researchers noted that many automotive companies do not check their vendors' cybersecurity practices before doing business, also making them easy targets. In May 2021, it was discovered that one of Volkswagen's vendors left one of its systems open for nearly two years, exposing the personal data of 3.3 million customers. The breach took place between August 2019 and May 2021. Volkswagen noted that the data, mainly collected for sales and marketing, was exposed by a vendor used by Volkswagen, its Audi subsidiary, and authorized dealers. It was noted that for upwards of 97% of the affected customers, the attackers got access to personal information about customers and prospective buyers, including names, postal and email addresses, and phone numbers. Other buyers or prospective buyers got hit harder since they had more sensitive data, including Social Security numbers, dates of birth, and driver's license numbers, stored on the vendor's leaky server.

Automotive dealerships need to take their cybersecurity more seriously, especially since 84% of consumers surveyed said they would not go back to buy another vehicle after their data had been compromised. If a cyberattack does occur, there is a high likelihood that many customers will never return. Security experts are urging car dealerships to follow cybersecurity best practices. Employee cybersecurity training should be provided to all dealership employees, and dealerships need to do a better job ensuring that all their software is up to date. When using a vendor to provide a service, security experts suggest that the vendor's cybersecurity practices should be reviewed before ever doing business with them.