Software Developer to Implement Security Protocols to Settle Investigation into Data Breach Exposing Personal Information of Auto Dealership Customers…September 8, 2018
NEWARK – Attorney General Gurbir S. Grewal and the Division of Consumer Affairs announced on September 7, 2018 a settlement with data management software developer Lightyear Dealer Technologies that resolves the Division’s investigation into a cyber security lapse that allowed unauthorized public internet access to a company database containing personally identifiable information of customers and employees of more than 100 auto dealerships nationwide, including at least four dealerships in New Jersey.
The security gap was exposed in 2016 when a security researcher accessed unencrypted files containing names, addresses, social security numbers, driver’s license numbers, bank account information and other data belonging to thousands of individuals, including at least 2,471 New Jersey residents.
Through its investigation, the Division found that in April 2015, a misconfigured file synchronizing program allowed unauthorized public internet access to a database containing unencrypted files backed up by approximately 130 of DealerBuilt’s client dealerships nationwide, including at least four in New Jersey.
Sometime between October 29 and November 3, 2016, a security research was able to access the DealerBuilt database and downloaded files from five of those dealerships, including one in New Jersey — Winner Ford in Cherry Hill.
Upon learning of the vulnerability on DealerBuilt’s systems, the security researcher published an online article drawing attention to the fact that the files were backed up and stored without adequate security protocols in place.
In the wake of the breach, the Division began an investigation to ascertain whether DealerBuilt’s conduct was in violation of the New Jersey Consumer Fraud Act (“CFA”) and/or the New Jersey Identity Theft Prevention Act (“ITPA”).
To resolve the Division’s investigation into the breach, Lightyear Dealer Technologies, which does business as “DealerBuilt,” agreed to enact a variety of data security reforms designed to prevent similar breaches in the future.
In a Consent Order resolving the investigation, DealerBuilt agreed to an $80,784 settlement amount comprising $49,420 in civil penalties and $31,364 in reimbursement of the Division’s attorneys’ fees, investigative costs and expert fees. Under the terms of the Order, $20,000.00 in civil penalties will be suspended and automatically vacated at the expiration of two years provided DealerBuilt complies with the terms of the Consent Order and does not engage in any acts or practices in violation of the CFA and/or the ITPA.
“Through this settlement, New Jersey is holding DealerBuilt accountable for a security lapse that exposed sensitive personal data belonging to thousands of our residents and untold numbers of consumers nationwide,” said Attorney General Grewal. “As a result of our negotiations, DealerBuilt has agreed to implement comprehensive cyber-security…