Ken Hill on the 700Credit Data Breach and Dealer Impact

Show Notes

In this episode of Inside Automotive, Ken Hill, managing director of 700Credit, addresses a major data breach that impacted thousands of dealerships and millions of consumers, outlining what happened and how the company is responding. Hill explains how a compromised third-party integration partner exposed an API vulnerability, leading to unauthorized access to consumer data despite 700Credit’s internal systems remaining secure.

He walks through the timeline of the attack, the steps taken to contain it, and the coordination with industry and government partners to manage notifications and compliance. Hill also shares lessons learned from the incident and stresses why cybersecurity education and best practices are critical for dealerships of all sizes, particularly those with limited resources.

Discussion topics include:

• How a third-party API compromise led to the breach
• The scope and duration of the velocity-based attack
• Coordination with NADA, the FTC, and the FBI
• Dealer and consumer notification and credit monitoring efforts
• Strengthening API validation and system security
• Cybersecurity considerations for dealership groups

Hill emphasizes that proactive security measures and education are essential to reducing risk across the retail automotive ecosystem.

Inside Automotive with Jim Fitzpatrick is powered by CBT News, your go-to source for the latest news, trends, and insights in retail automotive. Subscribe for more interviews with top industry leaders, dealership innovators, and experts shaping the future of automotive.

For more content, visit CBTNews.com and follow us on your favorite podcast platform.

Chapters

• 0:00: Breach Overview And Scope
• 0:52: How The Attack Happened
• 2:14: Shutting Down The API And Forensics
• 3:46: Industry Risk For Large And Small Dealers
• 5:34: NADA And FTC Coordination
• 7:18: Damage Assessment And Consumer Protections
• 9:12: Vendor Management And Insurance Lessons
• 10:52: To Pay Or Not To Pay Ransom
• 12:05: Communication Hurdles And Misinformation
• 14:02: Consumer Notifications And Dealer Support
• 15:32: Comparing Breach Types And System Uptime
• 16:56: Security Upgrades And Future Safeguards
• 18:28: Final Advice And Dealer Outreach

Transcript

Jim Fitzpatrick: 0:06

Welcome to Inside Automotive with Jim Fitzpatrick. 700 Credit, a credit check and compliance provider, suffered a major data breach, uh affecting nearly 18,000 dealerships and more than 5 million consumers. Today we're joined by Ken Hill, managing director of 700 Credit, to explain what happened and how the company is responding and what they're doing today for dealers and consumers for that matter, in light of this. So, Ken, thank you so much for taking the time out of your very busy schedule to join us on the show.

SPEAKER_01: 0:36

I appreciate the opportunity uh to communicate uh with our customers and trying to communicate as much as we can. So I appreciate the opportunity.

Jim Fitzpatrick: 0:45

So, can you walk us through what actually happened uh back in October uh for you know during during this breach?

SPEAKER_01: 0:52

Sure. Um yeah, um through uh we have over 200 partners, uh integration partners that we communicate uh with through APIs, most of the major DMSs uh in the industry, CRMs, digital retail products. Um and uh we had a partner that was compromised. Um and that partner uh back in July um I wish they would have notified us they did not. Um but uh they their systems were compromised and taken over, and the threat actors got a hold of their uh their communication logs to us and it exposed uh an API that the partner used to hold down consumer information because they didn't want to store it on their system. Um and uh it exposed the vulnerability that we have. Uh we weren't validating the consumer reference IDs to the original requester. So uh on October 25th, uh we were being uh attacked through velocity attack that's pinging us and pinging us millions and millions of times. And wow. We shut it, we shut it down. Um they continued to attack us uh for uh probably more than two weeks. Um but we had shut down the API, that was the exposure. They got about 20% of our data from May to October. Uh they did not penetrate our systems. We remained in production a whole time um up and running, but they did right, they tried. And uh so we we uh brought in a forensic team, two forensic teams uh to um help uh ward off these attacks, and uh they weren't successful. Um and uh and eventually the forensics teams inspected our systems to make sure and ensure that they didn't drop us any uh uh code or malware, ransomware, anything like that on our systems. So we were given the all clear. So that's the that was our uh uh our and when we finally shut them down, uh shut it down and they finally gave up, we got a got a nice note on Halloween evening from them. It was sort of spooky. Um so yeah.

Jim Fitzpatrick: 3:26

Okay, so that that's uh that's a very unfortunate situation, needless to say. And uh, you know, when when this happened with CDK, I had the the heads of the the different uh CRM or or say the uh DMS companies on. And you know, the first things that they said was, hey, this can happen to any of us out there, right? And that remains to be the case today, right? I mean, nobody is is completely has a complete safeguard against something like this, right?

SPEAKER_01: 3:54

No, no, I but uh I tell you um some of the people I've met with that the major dealership groups have had incredible people in place that are putting secure security frameworks and monitoring. Um a couple of groups had attackers. I was quite impressed with that. Can we borrow your attackers, right? Where they go out and try to attack their own system or attack those that are attacking them.

Jim Fitzpatrick: 4:23

Yeah, yeah.

SPEAKER_01: 4:24

Um, so it it's but my fear is for right as you go down in these big groups and the budgets, right? What are what are mid-sized groups, smaller groups, right? What do they have in place? Right. Um so that's my concern. That's actually hopefully a takeaway we're gonna try to do is uh do something um and and get more communication, more education on it. And I would urge dealerships to ensure that they're being educated.

Jim Fitzpatrick: 4:56

Sure, sure. And this is some this is something that obviously every dealer um is challenged with, struggles with. To your point, you know, it's one thing for a publicly traded company to have an entire cybersecurity team in place. In some cases, maybe it's the whole floor of their corporate headquarters, but uh but not so much for that group that says, well, we got five stores and we can't really afford to have uh a big team like that. It just doesn't make economic sense. However, they're they're still right on the front line of being, you know, absolutely.

SPEAKER_01: 5:26

Yeah, low-hanging fruit.

Jim Fitzpatrick: 5:28

Yeah, yeah, exactly. Exactly. Because the attackers know that about those smaller groups, right?

SPEAKER_01: 5:32

Yeah, yeah, yeah.

Jim Fitzpatrick: 5:33

For sure, for sure. You um in the article in automotive news, um, it talked about uh the FTC and NADA and its relationship there and and helping uh in this. Talk to us about that.

SPEAKER_01: 5:46

Um first of all, another one of my uh I guess good moments uh in this mess is getting to know the folks in NADA. Um what an impressive uh organization.

Jim Fitzpatrick: 6:03

Oh yeah, for sure.

SPEAKER_01: 6:05

Um and uh like they reached out to us, they chased us down. Uh um they had a call at 9 a.m. and they had the FTC on the phone with us at like noon. Really? Um on behalf of their dealership. So that's an organization uh that's run by good people.

Jim Fitzpatrick: 6:28

Oh yeah, for sure.

SPEAKER_01: 6:29

Yeah, no problem. Yeah, and we got the FTC to right, they uh got the FTC to agree to allow us to report on all our dealerships' behalf. So that's what we're trying to do, right? And we are doing is re like we reported to the FBI on our dealership's behalf, so they don't have to, right? We reported to the FTC on our dealership's behalf, so they don't have to. Now we're in the process of notifying the states um on those dealerships behalf so they don't have to uh notify the consumers, offer them monitor, offer them a free copy of their credit report again, so they don't do too and they need to allow us to be on the front lines because uh right, class action suits, people have already filed class action suits before we even released any names, people that were in there. How does that happen? Wow. Um, so they're gonna they're gonna they're gonna happen. Um yeah.

Jim Fitzpatrick: 7:28

Since this happened in October, here we are in uh in December. Has there been any reporting of damage done to any credit files or consumer files at all?

SPEAKER_01: 7:37

None. We we don't have one. We believe I have to be careful how I state this, but we believe we've secured the data, right? Uh but you you don't you don't know. Right. Right? That you're trusting the word of someone that it right attacked you, right? Uh so uh who knows?

Jim Fitzpatrick: 7:57

Yeah, that's that's interesting. And of course, you mentioned that you're given one to two years of uh of credit monitoring and free credit reports to uh to all consumers across the board that that were affected by this or involved in this. Yeah. Yep, yeah. Yep. That that's that's pretty good. That uh so when something like this happens, do you immediately turn to the other 199 other relationships and vendors that you have to say, okay, what what do we have in place, or what do you have in place? Or I mean it sounds like you had, I don't want to say a bad actor per se, but you've got somebody that this happens to. It sounds like they didn't notify you immediately and kind of kind of left the door open there a little bit.

SPEAKER_01: 8:37

Yeah, no, yeah, that could have been avoided if we were notified because we would have shut it down. We would have shut their access down. They gained access to us through their systems. Um, there's a lot of communication between partners, uh, certification programs, right? We have a GRC, uh, that if there are partners that are storing sensitive data, they have to go through a certification process. So there's a lot of that in place. Um I would recommend uh luckily um we in within the last year increased our cyber security insurance. Uh if we hadn't, uh right, we'd be in a lot of trouble. So I would encourage dealers to look at their vendors and and I think right, the uh the CFP and the safeguards part of their requirement was to survey your vendors, yeah, understand their security prop policies, processes in place, and understand their cybersecurity. I've make sure they have adequate cybersecurity because uh that could be right. I mean, if we didn't if we didn't do that, we'd be we'd be in trouble.

Jim Fitzpatrick: 9:51

Yeah, for sure. You know, when something like this happens and and the company comes out and says, hey, you know, we gotta play ball with these people because they're holding all the cards and this could get really, you know, very long, a very long process, doesn't do anybody any good. So we're gonna go ahead and take care of this thing and pay these people what they want to get paid so we can move on with business. While others may say, Oh, what are you doing? You're only you're only encouraging them to do this again. Is that a concern of yours that they say, wow, this there's there might be more in this well, you know?

SPEAKER_01: 10:20

There there were several heated conversations about that. Yeah. Um and uh the I, you know, uh I understand both sides of the argument.

Jim Fitzpatrick: 10:30

Yeah.

SPEAKER_01: 10:31

Right?

Jim Fitzpatrick: 10:31

Yeah. Um and uh But you got a business to run, right? You got people to put it in the world.

SPEAKER_01: 10:36

Yeah, and you have a responsibility to your customers, right?

Jim Fitzpatrick: 10:40

So looking back, um, and I know I say looking back, you're kind of in the midst of cleaning this up. You wish you could look back, but what are the lessons learned so far?

SPEAKER_01: 10:50

Um you know, we had a uh uh a plan in place to handle this, but I don't think we understood um some of the the obstacles.

Jim Fitzpatrick: 11:02

Yeah.

SPEAKER_01: 11:03

Uh and the obstacles have been uh inaccurate communications, communications uh to the out to the industry by organizations that I don't think uh were meant to be helpful and are causing panic more than they're helping.

Jim Fitzpatrick: 11:22

Yeah, yeah.

SPEAKER_01: 11:23

Um and I I I we didn't plan for that. And um our our whole organization is uh sending or re replying to those types of uh questions that dealers have. Sure. Um and concerns that dealers have. And we're we're trying, we're handling every one.

Jim Fitzpatrick: 11:46

Yeah. Little little bit of fear mongering going on, is what you're saying out there. Yeah, yeah.

SPEAKER_01: 11:51

Yes.

Jim Fitzpatrick: 11:51

Yeah. Um that's unfortunate.

SPEAKER_01: 11:54

Yeah, yeah. Uh right. We we are uh uh reporting to the state agencies and covering dealerships responsibilities, right? We reported to the FBI covering dealership's responsibilities. Yeah, a lot of miscommunications around those pieces, and we've probably already processed over a thousand requests in three days for lists of consumer names and addresses for individual dealerships that have requested it. Wow. Um and we'll continue to do so.

Jim Fitzpatrick: 12:30

But yeah, um, do you in this case, I guess you do? You can you have something that communicates directly to those uh to those five million consumers to say, hey, we we okay.

SPEAKER_01: 12:41

Yeah, uh it's um there's a there's a lot of firms that handle that, that that provide the monitoring, okay. Uh provide the help center to handle the call volumes from the consumers. Our notices haven't gone out to the consumers yet, but they will be.

Jim Fitzpatrick: 12:55

Okay.

SPEAKER_01: 12:56

Um, because it it takes a while uh to get those those pieces in place.

Jim Fitzpatrick: 13:02

Sure, sure. Uh and then in cases like this, they'll oftentimes, not oftentimes, sometimes, contact the dealer and go, hey, what's this all about and what what happened? And you know.

SPEAKER_01: 13:12

Yes, yeah. Is there any special training or communication that you've got to do with the dealer personnel to say if and when you get these communications that here's what I've yeah, I've spoken to some um organizations that have or actually dealership groups. Uh I've spoken to a lot of dealership groups in the last uh week.

Jim Fitzpatrick: 13:34

Yeah.

SPEAKER_01: 13:35

Um but um uh and during other incidents that were similar that have occurred in our industry, they said they didn't get one call from directly from a consumer.

Jim Fitzpatrick: 13:45

Wow, that's that's that's impressive. Yeah, uh that is good news.

SPEAKER_01: 13:52

But yeah, um, we are giving our dealers uh right our we're we're setting up uh right the company that we hire is gonna set up a uh consumer helpline, right? The consumer monitoring, uh consumer FAQs. We're gonna be providing those to dealers so that if they do get uh a call that they can just refer the consumer to that number to get assistance. Um but uh yeah, and right, and consumers uh to your viewers, right? Uh I highly encourage you, just as a uh safeguard, freeze freeze your credit files. Takes five minutes to freeze them, five minutes to unfreeze them if you're gonna do a purchase. Uh you might not be able to apply for those credit cards at the cash register anymore.

Jim Fitzpatrick: 14:40

I I did it, I did it myself on mine, and you're right. Yes, yeah, exactly.

SPEAKER_01: 14:44

But uh, right, you know when you're gonna go buy a car, you know, and freeze your file, and right?

Jim Fitzpatrick: 14:49

Sure.

SPEAKER_01: 14:50

So um that's some of the advice we're giving to the consumers that are in the notices. Sure, sure.

Jim Fitzpatrick: 14:55

Yeah, and and unlike um what happened with CDK, where it literally shut dealerships down for a period of time, week, or whatever it might have been a year and a half ago, um, is to say that's not the case with any of your dealer partners, right? This didn't affect this didn't have that kind of an effect.

SPEAKER_01: 15:13

And I um and I I believe in CDK's case, consumer data wasn't exposed, right? So they had the other end of uh an attack. Yep. Our end was they didn't get our systems, but they got our data, which uh yeah, you could say is worse. Yeah, yeah.

Jim Fitzpatrick: 15:30

Yeah, yeah, that that that's tough. That's tough. So uh so this this gives you that, because I don't think this has happened before with you guys, but um, but you haven't been a victim of this before. But now, lessons learned, you probably are you know ready with all of the necessary things you put in place, that god forbid something like this happens again, you'll yeah.

SPEAKER_01: 15:52

We've we actually have good processes in place. Uh we we we have many more uh API inspections going on that we've had, obviously. Um, and there are some things that we've added um that moving forward, yes. Uh um we're we're we're moving to a new uh uh backbone. Um and uh it's you know it's taken us a little bit of time, but we're expediting that now to get to that new backbone because there's more security features and enhancements in that new backbone. So um yeah, lessons learned, but also uh our our security team has got job security for quite some time and will probably be increasing in size.

Jim Fitzpatrick: 16:41

They uh if you're in if you're in cybersecurity today or anything AI, it's smooth sailing for you, right?

SPEAKER_01: 16:47

Yes, that's right.

Jim Fitzpatrick: 16:49

That's crazy.

SPEAKER_01: 16:50

They did a they did a uh an incredible job. And I don't know they got much sleep.

Jim Fitzpatrick: 16:55

Yeah. One dealer I was speaking to about this earlier today offline, they said, I wonder of the five million consumers, percentage-wise, what was that of your overall number of files? Is it 10% or 50? Or what what is because I know you guys work with God, so many dealers, and you've got you've got to have tens of almost millions of files, right?

SPEAKER_01: 17:16

Yeah, well, let's not do an advertisement for the hackers out there, but the other thing is. No, no, no, right, right, right. No, but you're right. Uh we it it hit about uh over a five-month period, it hit about 20% of our data.

Jim Fitzpatrick: 17:28

20. Okay. Okay. Right. So on the bright side, 80% of your data was secure.

SPEAKER_01: 17:33

Yes, right?

Jim Fitzpatrick: 17:34

Yeah.

SPEAKER_01: 17:35

Yeah. Well, thank you to our security team that shut it down. Yeah.

Jim Fitzpatrick: 17:39

Yeah, for sure. For sure. Any any uh any final thoughts on this uh uh on this situation before we close out the segment?

SPEAKER_01: 17:48

Um yeah, that any any questions, any concerns, reach out.

Jim Fitzpatrick: 17:53

Okay.

SPEAKER_01: 17:54

We're committed to answering every call.

Jim Fitzpatrick: 17:56

Okay, great. Great. Ken Hill, managing director of 700 credit, uh, an incredible brand. I mean, you guys have built such an incredible framework and and platform for dealers in this area. It's very unfortunate this has happened to you. Again, a reminder to everybody that's watching, it can happen to you too. So listen to Ken on these suggestions and just check and recheck and make sure the vendors you're working with are rock solid and they're doing their due diligence on a daily basis. Because again, it can happen to any auto group, it can happen to any uh uh you know, DMS system, it can happen to anybody that's out there working with dealers, right? I mean, we nobody is immune to this uh or protected. So, Ken, thank you so much for joining us on the show to clear some things up and to you know have this uh communication directly to dealers. I know they'll appreciate it. And again, dealers that you've got some questions or what have you, give Ken and his team a call and they'll put your mind at ease, I think, in a lot of these situations.

SPEAKER_01: 18:50

Thanks, Jim. I appreciate the opportunity.

Jim Fitzpatrick: 18:52

Absolutely. Thanks so much.

SPEAKER_01: 18:55

Thanks for watching Inside Automotive with Jim Fitzpatrick.