Security Risk

In late December, a staffer at Street Toyota in Amarillo, Texas, suddenly found himself without Internet access.

“Someone clicked on something they shouldn’t have,” says Misty Lerch, controller of Street Auto Group, which includes Street Toyota and Street Volkswagen. She later learned a hacker had taken advantage of human error and seized one of the dealership’s terminals. “Their computer was sending out two million spam emails per minute.”

The situation was resolved by technicians at Nuspire Networks, the auto group’s Commerce, Mich.-based data security service provider. Their actions saved untold numbers of consumers from getting unwanted emails from Street Toyota. They also kept the dealership off the spamming blacklist and saved one of its key marketing channels.

Exposing Vulnerabilities
A series of breaches at high-profile companies like Target, Home Depot and JP Morgan Chase has thrust data security into the national spotlight in recent years. Even Hollywood has fallen victim. Last summer, hackers accessed the iCloud accounts of actress Jennifer Lawrence and other celebrities and posted their private photos online.

Capping off what many media outlets called the “year of the data breach” was the massive cyberattack against Sony Pictures Entertainment in November. A group identifying itself as the “Guardians of Peace” claimed the attack was in protest of the planned release of “The Interview,” a comedy depicting the attempted assassination of North Korean leader Kim Jong-un.

And with Congress expected to act on the Cybersecurity Information Sharing Act this year, data security will continue to be a hot topic across industry lines. The bill, supported by the U.S. Chamber of Commerce, encourages businesses to voluntarily share details of cyberattacks with the Department of Homeland Security in exchange for protection from legal actions.

Data security became a priority for Street Auto Group about five years ago, after two alarming events occurred within six months of each other.

“We had an employee leave and we were concerned there could be a breach,” says Lerch, who has served as the group’s controller for the last eight years. “The second thing was that a local news station was going around to different dealerships, digging through trash cans looking for personal information.”

She says the dealership already had a program in place for the physical removal of printed data, but the employee’s departure caused anxiety about the vulnerability of electronic data. Lerch consulted with an associate who recommended Nuspire.

“He explained to me how they are PCI (payment card industry)-compliant, they can provide us with audit reports, as well as a whole team of security specialists who can help us stay on top of what is going on inside our networks, either from the inside or coming from the outside.”

Act or React
Tony Petcou is Nuspire’s channel program manager. He says dealerships usually approach the company after a data breach. “They get to us because something has recently happened and now they understand that pain.”

The financial pain of a data breach has reached new levels, according to the latest “Cost of Data Breach” study conducted by the Ponemon Institute and IBM. Released last May, the 2014 study noted that the total average cost paid by organizations for a data breach rose from $5.4 million to $5.9 million. The primary reason for the increase was the loss of customers following a breach and the additional expenses required to preserve the organization’s brand and reputation. The report defined a breach as “an event in which an individual’s name plus Social Security number, medical record and/or a financial record or debit card is potentially put at risk.”

The study also found that more customers were ending their relationships with a company following a data breach, with the average abnormal churn rate increasing 15% from 2013 to 2014. The financial services industry, the report pointed out, was among those most susceptible to high churn in the wake of a data breach.

“The game has changed quite a bit for auto dealerships, simply because of the information they collect — from credit applications to Social Security numbers to birthdays and personal addresses,” Petcou says. “It’s really about having not just a network professional but a security professional.”

Relying on obsolete technology and “patching” to maintain a computer network is the most basic way to expose your business, Petcou adds, and that includes operating systems. “Windows XP is sunsetted, and I bet you a good amount of dealers are running XP in some capacity.”

Petcou says Nuspire uses a segmentation strategy that separates users from the network; for example, operating a Wi-Fi network independent of the dealership’s computer network, thus preventing access to personal and financial data.

“People only get access for what they need. You have to be cognizant of what type of access you’re giving. When in doubt, we block everything,” he says, noting that dealers have been slow to react to newer data security risks.

“Most owners of dealerships have been in the industry for so long, and most dealerships have been handed down from generation to generation, so that current owner just remembers a lot of that history and injecting a lot of this technology is completely new to them.”

Nuspire has been working with the auto industry for more than a decade. It initially worked with auto OEMs and their service providers on data security issues before moving to the dealership level. And based on his years of observation, Petcou believes the service bay has been the biggest driver of technology adoption at dealerships.

“The wrench and the hammer are no longer tools, it’s the computer that connects wirelessly to an access point so they can flash a car’s computer or do their warranty claims all in the service bay,” he says. “The diagnostic tools have really driven technology.”

Regulatory Pressure
Today, it’s the Internet customer that’s forcing dealers to improve their ability to collect and store personal digital data. And as adoption of tools that allow them to do that increases, there has been a corresponding increase in data-security regulations and oversight.

In August 2013, the National Automobile Dealers Association (NADA)’s legal and regulatory affairs department issued a 14-page guidance memo to its dealer members about securing access to transaction data stored in the typical dealer management system (DMS). The memo was released nine days after the Federal Trade Commission warned big data collectors that it would use all tools at its disposal to protect consumer privacy. Officials with the NADA said at the time that the release of the memo was unrelated to the FTC’s announcement, noting that it was part of the association’s ongoing effort to promote compliance.

“We had frustrated calls from dealers, ranging from, ‘Jeez, various factories are jamming clauses in there, take it or leave it,’ or click-through agreements, and there seems to be somewhat of a feeling that they are losing control of their intellectual property,” NADA President Peter Welch said at the time.

The NADA’s memo warned members that the “FTC may consider any third-party ‘access’ to [nonpublic personal information] to be ‘sharing,’” even if the dealer’s vendor never actually accessed the data. It included a checklist dealers can use to police vendor access to their data and warned members they could run afoul of the Gramm-Leach-Bliley (GLB) Act’s Safeguard’s Rule and Privacy Rule if they provide NPPI to vendors and even manufacturers.

In June 2012, the FTC targeted a Georgia auto dealer for GLB Act violations after an employee downloaded consumer data files onto a flash drive and loaded them onto his personal computer, which contained peer-to-peer file-sharing software. The dealer was required to establish and maintain a comprehensive information security program and undergo data security audits by independent auditors every other year for 20 years as part of his settlement with the federal agency.

Tim Gallagher, a senior security analytics team leader at Nuspire, says the company’s analysts examine network logs and compare them with their worldwide network of data security points for comparison.

“We collect about a billion logs a day,” says Gallagher, who has managed projects for the U.S. Air Force and the Department of Defense. He notes that network operators are particularly susceptible.

“They are going to be attacked nonstop all the time,” he added. “I really mean that, all the time. It’s so easy to do and you don’t have to attack one person; you’re attacking thousands. You can send out one email and if one person clicks on it, you’re in. It’s easy and it takes 10 seconds to send out one million emails.”

Gallagher adds that Nuspire has taken a layered approach to security — from protecting public Wi-Fi networks in a store’s lounge to network firewall protection to help with regulatory compliance. It also provides customers with access to an incident response team.

“We’re in automotive. We secure the hardest environment,” Gallagher adds, noting the steep vertical nature of the industry. “We take the burden for doing a thousand locations. We understand how to play in that field.”

Street’s Lerch believes that of all the regulations that have affected the group, the GLB Act has had the greatest impact. “It continues to grow and morph into something different all the time. ‘This is also considered private,’ or, ‘You have to protect this in a specific way,’” she says of the fluctuating rules.

The dealership undergoes a routine audit every six months to review personal information access. It also relies on the DMS for some security, since most third-party vendors must be certified before gaining access. But Lerch relies on Nuspire to handle most regulatory compliance issues.

“The fees I pay to them are a whole lot less expensive than paying for five or six employees,” she says. “And it’s very time-consuming.”

Nuspire’s analysts can tell if a hacker is attempting to intrude into the dealerships’ networks. In fact, it was an alert from Nuspire — not the dealership employee who lost Internet access — that informed Lerch one of her computers had been seized and provided her with the IP address. Relieved, but frustrated, she confronted the staffer.

“I said, ‘Were you going to tell me?’” she recalls.

Paul Chavez is a freelance writer based in Venice, Calif. He can be reached at [email protected].