While perhaps not to the scale of some other data breaches, a dealership management software (DMS) provider recently reached a settlement with New Jersey regulators whose investigation found compromised systems.
New Jersey attorney general Gurbir Grewal and the state’s Division of Consumer Affairs announced a settlement with DMS developer Lightyear Dealer Technologies — makers of DealerBuilt that provides store functions such as F&I sales, fixed ops, accounting, parts and payroll.
Enforcement officials explained settlement resolves the division’s investigation into a cyber security lapse that allowed unauthorized public internet access to a company database containing personally identifiable information of customers and employees of more than 100 dealerships nationwide, including at least four dealerships in New Jersey.
Officials indicated the security gap was exposed in 2016 when a security researcher accessed unencrypted files containing names, addresses, Social Security Numbers, driver’s license numbers, bank account information and other data belonging to thousands of individuals, including at least 2,471 New Jersey residents.
To resolve the division’s investigation into the breach, Lightyear Dealer Technologies agreed to enact a variety of data security reforms designed to prevent similar breaches in the future.
“Through this settlement, New Jersey is holding DealerBuilt accountable for a security lapse that exposed sensitive personal data belonging to thousands of our residents and untold numbers of consumers nationwide,” Grewal said.
“As a result of our negotiations, DealerBuilt has agreed to implement comprehensive cyber-security protocols to better protect consumers in all states against the threat of identity theft or other cybercrimes,” Grewal continued.
The reforms include:
—The creation of an information security program to be implemented and maintained by a chief security officer with appropriate background and experience in information security.
—The maintenance and implementation of encryption protocols for personal information stored on laptops or other portable devices or transmitted wirelessly; the maintenance and implementation of policies that clearly define which users have authorization to access its computer network; and
—The maintenance of enforcement mechanisms to approve or disapprove access requests based on those policies; and the maintenance of data security assessment tools, including vulnerability scans.
DealerBuilt also agreed to an $80,784 settlement amount.
“Data breaches like this are a sobering reminder of what can happen when companies fail to adequately protect the sensitive data they collect and store electronically,” said Paul Rodriguez, acting director of the New Jersey Division of Consumer Affairs. “As this settlement demonstrates, New Jersey stands ready to vigorously enforce the laws that protect consumers from the risk of having their most personal information exposed online.”
Through its investigation, the division found that in April 2015, a misconfigured file synchronizing program allowed unauthorized public internet access to a database containing unencrypted files backed up by approximately130 of DealerBuilt’s client dealerships nationwide, including at least four in New Jersey.
Sometime between October 29 and November 3, 2016, a security researcher was able to access the DealerBuilt database and downloaded files from five of those dealerships, including one in New Jersey: Winner Ford in Cherry Hill.
Upon learning of the vulnerability on DealerBuilt’s systems, the security researcher published an online article drawing attention to the fact that the files were backed up and stored without adequate security protocols in place.
In the wake of the breach, the division began an investigation to ascertain whether DealerBuilt’s conduct was in violation of the New Jersey Consumer Fraud Act (CFA) and/or the New Jersey Identity Theft Prevention Act (ITPA).
In a consent order resolving the investigation, DealerBuilt agreed to an $80,784 settlement amount comprised of $49,420 in civil penalties and $31,364 in reimbursement of the division’s attorneys’ fees, investigative costs and expert fees.
Under the terms of the order, $20,000 in civil penalties will be suspended and automatically vacated at the expiration of two years provided DealerBuilt complies with the terms of the consent order and does not engage in any acts or practices in violation of the CFA and/or the ITPA.
Attempts to reach DealerBuilt for a comment about the settlement were unsuccessful.
Investigator Christopher Spaldo and former investigator Brian Morgenstern of the Division of Consumer Affairs’ Cyber Fraud Unit conducted this investigation.
Deputy attorney general Zachary Klein and former deputy attorney general Russell Smith Jr. within the Affirmative Civil Enforcement Practice Group in the Division of Law represented the division in this matter.