700Credit data breach exposes 5.8M customers’ DOB, SSNs, across 20K US dealerships
700Credit, a consumer financing services company used by over 20,000 auto, motorcycle, RV, and marine dealerships across the US, will begin notifying victims of an October breach exposing the sensitive data of more than 5.8 million Americans, including Social Security numbers.
-
700Credit cyberattack exposed sensitive data of 5.8 million Americans who underwent dealership credit checks, including Social Security numbers and dates of birth.
-
The attack affected over 20,000 auto, RV, boat, and motorcycle dealerships nationwide, with data accessed through a partner API.
-
FTC-approved single notification will be sent to victims starting December 22, with 12 months of free credit monitoring offered.
The major credit-checking services provider filed a copy of its required breach notification letter with the Maine Attorney General’s Office on Friday, to be sent out to impacted individuals starting on December 22nd.
Exactly 5,836,521 individuals (including the 19,225 Maine residents) were compromised during the two-day breach, which began on October 25th.
“700Credit regrets to inform you that our industry was attacked again by a bad actor who had unauthorized access to some of our personally identifiable information (PII), including name, address, and social security number,” the company posted in a notice on its website.
The company further explains in the breach notification letter that, after noticing “suspicious activity within its web application,” it immediately launched an investigation with outside security experts, ultimately determining “certain records relating to customers of its dealership clients were copied without authorization.”
According to 700Credit, those records included the following information:
- Name
- Address
- Social Security number
- Date of birth.
700Credit is considered the largest provider of credit reports, soft-pull credit data, identity verification, fraud detection, and more, used to finance vehicles sold at dealerships, including automobiles, boats, jet skis, recreational vehicles (RVs), motorsports, and all-terrain vehicles (ATVs).
Spanning more than 21,000 dealerships, 700Credit works with the nation’s largest three credit bureaus, Equifax, TransUnion, and Experian, to collect and review a potential customer’s financial data.
It is also integrated with more than 250 other software platforms, including dealer management systems (DMS), customer relationship management (CRM), and credit and compliance platforms.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, says what’s notable about this particular breach “is that the attack occurred through one of 700Credit’s partners, which had access to an API that granted access to customer info.”
“This underlines why vendors like 700Credit can't take security for granted even when dealing with its own customers. If one of those customers is compromised, they shouldn't be able to access data from other client accounts as hackers did in this attack."
One breach notification for 20K+ dealerships
700Credit says it first began notifying the 20K+ dealerships about the intrusion, when it was first discovered on November 21st.
Bischoff says, "Car dealerships collect a lot of sensitive personal information when someone buys a car, especially if they finance it."
Credit checks can collect a plethora of sensitive data from the person, including basic personal Information (name, address, date of birth), credit score, credit accounts (past/present, balances, etc.), payment history, employment history, public records, and debt collections.
“In the wrong hands, that info could easily be used to open up other lines of credit in car buyers' names,” Bischoff explained.
It’s essential to note that although millions of customers across thousands of individual dealerships have been affected, the Federal Trade Commission (FTC) has granted 700Credit permission to file only one breach notification with the authorities.
This means that individuals will receive a breach notification letter from 700Credit in lieu of the dealerships they interacted with, which could leave many recipients confused and even more letters unopened.
700Credit is offering 12 months of credit monitoring services at no cost, and urges compromised individuals to actively monitor their credit reports for suspicious activity and to freeze them if necessary.
The company also says it is now reviewing its current security "policies, procedures, and processes related to the storage and access of personal information to reduce the likelihood of a similar future event."
Echoing the warning, Chris Hauk, Consumer Privacy Champion at Pixel Privacy, reminds consumers that "Any individuals affected by the breach need to stay alert for any new accounts being opened up in their name.”
“The information stolen includes four of the basic bits of information you need to open a new account,” Hauk points out. “If at all possible, I would definitely take advantage of the credit monitoring and identity protection being offered to victims," he adds.
Unlock more exclusive Cybernews content on YouTube.
