NEWARK, N.J. — Software provider Lightyear Dealer Technologies, doing business as DealerBuilt, has entered into a settlement agreement with the New Jersey state regulators to resolve an investigation into a cybersecurity lapse that allowed access to a company database containing personally identifiable information of customers and employees at more than 100 dealerships nationwide, including four dealerships located in the state.
The security lapse was exposed in 2016 when a security researcher accessed unencrypted files containing names, addresses, Social Security numbers, driver’s license numbers, bank account information and other data belonging to thousands of individuals, including at least 2,471 New Jersey residents, according to Attorney General Gurbir Grewal and the Division of Consumer Affairs.
“Through this settlement, New Jersey is holding DealerBuilt accountable for a security lapse that exposed sensitive personal data belonging to thousands of our residents and untold numbers of consumers nationwide,” said Attorney General Grewal. “As a result of our negotiations, DealerBuilt has agreed to implement comprehensive cybersecurity protocols to better protect consumers in all states against the threat of identity theft or other cybercrimes.”
DealerBuilt agreed to create an information security program to be implemented and maintained by a chief security officer with appropriate background and experience in information security. The company also agreed to maintain and implement encryption protocols for personal information stored on laptops or other portable devices or transmitted wirelessly, as well as add and update policies that define which users have authorization to access its computer network.
Additionally, the tech firm must maintain enforcement mechanisms to approve or disapprove access requests based on those policies, as well as maintain data security assessment tools, including vulnerability scans. The company also agreed to an $80,784 settlement amount.
“Data breaches like this are a sobering reminder of what can happen when companies fail to adequately protect the sensitive data they collect and store electronically,” said Paul R. Rodriguez, acting director of the Division of Consumer Affairs. “As this settlement demonstrates, New Jersey stands ready to vigorously enforce the laws that protect consumers from the risk of having their most personal information exposed.”
Through its investigation, the division found that in April 2015, a misconfigured file synchronizing program allowed unauthorized access to a database containing encrypted files back up by approximately 130 of DealerBuilt’s client dealerships nationwide, including at least four in New Jersey.
According to the regulators, sometimes between Oct. 29 and Nov. 3, 2016, a security researcher was able to access the DealerBuilt database and downloaded files from five of those dealerships, including Winner Ford in Cherry Hill, N.J.
Upon learning of the vulnerability on DealerBuilt’s systems, the security researcher published an online article drawing attention to the fact that the files were backed up and stored without adequate security protocols in place. The revelation prompted the Division of Consumer Affairs’ investigation into whether DealerBuilt was in violation of the New Jersey Consumer Fraud Act and Identity Theft Prevention Act.