We are in an era where data is critical to how we manage our lives and businesses. Long gone are the days where a company used Rolodexes of business cards to manage their customer base – everything is now stored on a computer disc and nearly every computer is connected to the internet and that means data can be stolen if a hacker gains access through malicious attacks or more commonly, a poorly secured system.
Back in October 2016, a hacker broken into the connected systems of LightYear Dealer Technologies who market the DealerBuilt system, a dealer management software tool in the US. They stole personal details of 12.5 million data items from 130 dealers over a period of ten days. It netted them information on over 69,000 people that could be used to impersonate the customers and take control of their financial life. For example, they stole the data that connected names, addresses, credit card numbers, birth dates and drivers licence numbers. Authorities also believe that dealer employee data was stolen as well.
In June, the software vendor settled (for a second time) – this time with the US Federal Trade Commission, for allegedly failing to properly encrypt the data. However it went further than that, the FTC found that the company held data in plain text without access controls or proper authentication protections. They didn’t have a security policy, didn’t provide adequate user training and didn’t have a risk assessment procedure to periodically test the systems for security holes.
The FTC found that the vendor had installed a storage device on their network that was open to the outside world – and had been for 18 months! There was no security on the equipment which meant that once it was found to have an open address, anyone could access and get at the files, which for a hacker, would have been easy to open. That allowed the hackers to gain access without anyone knowing. It took two weeks for anyone to realise – and it was a dealer who called to say that someone had found their information online and open to the world and then it was only when a journalist followed up did the vendor start to remediate the situation.
The settlement sets a precedence because it treats the service provider (LightYear Dealer Technologies) as a a financial institution and as such rolls that class of company under the existing Safeguard Rules to protect customer data. It also means that the dealers who use such software are now also liable along with their vendor. That’s not a bad thing because everyone who holds customer data should be cognisant of the security needed to protect this information.
This issue goes to the heart of the new world we are now in: with evermore connected vehicles pushing route data back to a central point and autonomous cars receiving real-time data about conditions, traffic flows etc and then mapping that to what the car’s occupants interests are, it is only a matter of time before an even bigger breach or more serious threat occurs.
All the major manufacturers are becoming data repositories and systems such as Uber, Lyft etc have vast quantities of data to use or sell to others. It is imperative that the data is depersonalised as quickly as possible for storage, however to do that means that the companies cannot then target their customers explicitly – which is where the value is for them.
If a hacker can get your base details from a dealer system, including contact details, then it is feasible to spoof that person with other companies like a telco which in turn opens up a huge amount of behavioural data. At that point a person’s identity can be controlled and fraudulent transactions could follow. As much as the world loves the idea of autonomous vehicles and a connected world, we the consumer must ensure that the vendors we use have tight security systems in place before signing a contract – and we need to understand who is liable and who will deal with a security breach.
Perhaps this will be the new way that the insurance companies make their money after all if we are all in autonomous vehicles the chances of an accident would be greatly reduced and therefore the need for insurance is limited thanks to significantly reduced risk. The risk would then be on the security of the data generated and used by the systems.