/ SECURITY WATCH

Car Dealership Provider Leaky CRM

Popular articles

08 / 11 / 2016

Car Dealership Provider Leaky CRM

Ever bought a new or used car? If you have you likely drove away from the dealership thinking about gas mileage and crash safety in your new car. However, in the digital age there is one more thing you should consider and that is: did the dealership leak my personal data and credit information online?

However, in the digital age there is one more thing you should consider and that is: did the dealership leak my personal data and credit information online? With the latest discovery of nearly a million records leaked online both automotive dealership employees and customers alike have had their private data left vulnerable to criminals. We must now face the reality that no matter what industry you work in or what products you buy there is a strong chance that your sensitive personal data could be leaked online if it is not secured properly.   

It appears that the database containing the information belongs to dealerbuilt.com, a dealer management and payroll system. On their website they claim that “DealerBuilt’s Payroll Application offers a comprehensive solution to manage your payroll needs”. They also offer customizable reporting tools that help dealerships historically document and review payroll and other vital employee information. Despite managing the private and sensitive data of over a million customers and salespeople there is no mention of how DealerBuilt handles security or data protection of all of these records. 

Here is the public report still visible at Shodan: https://www.shodan.io/host/199.102.214.20#873

This discovery immediately attracted our attention, since this particular instance featured 128 folders named after clients. All of them were password-protected, except one, the most vulnerable were - “DealerBuilt”, with “Clients’ backup”. It appeared that this folder contained all their clients’ CRM SQL database backups. When restored and mounted, these databases were an infinite source of private data.

Upon further analysis of the content we came to the conclusion that the data formatted across the tables are almost exactly the same because the company hosting them (DealerBuilt) is giving all of their car dealership customers the same CRM software.

Just to give you an example: there were several folders containing the private and personal information of over a thousands customers and employees. These files include names like “faemployee" and "lycustomer". In just one document called "lycustomer" there are 27,703 people. Some of the files have social security numbers and even spouse social security numbers. The “faemployee” table contained from 60 to 300 rows of information. Multiplied by 128, you can guess or estimate the total number of individuals who have had their personal data exposed.

When employment data is leaked that contains social security numbers it makes it a higher risk for criminals to engage in identity theft, filing false tax returns or other forms of fraud. This same risk likely applies to the many thousands of customers who have purchased vehicles or possibility even applied for financing with every dealership who uses the DealerBuilt platform. This massive leak is just another painful lesson of what happens when private and sensitive data is stored without encryption or modern data security practices. The dealerbuilt.com database is now secured and it is unclear how many other people may have accessed the data or what steps DealerBuilt will take to notify the millions of affected customers and salespeople.

For questions or more information on this story please contact security@kromtech.com