According to Brian Krebs of the Krebs on Security newswire, recent hacker break-ins at a half-dozen car dealerships across the US are a reminder of just how easily one’s personal and financial information can be jeopardized by poor security at any of of tens of thousands of organizations that have access to that data.
Earlier this month, he says that Farmington Hills, Mich.-based RouteOne sent a letter to more than 20,000 dealerships around the country, warning of probable malware infections at six dealerships that use its service.
Formed in 2002, RouteOne is a joint venture by GMAC (now called Ally Financial), Ford Motor Credit, Toyota Financial Services, and DaimlerChrysler Financial Services.
US car dealerships use RouteOne’s credit application software and web portal to run credit checks and process financing for buyers, noted Krebs. He added that the service also allows authorized users to pull credit reports from the three major credit reporting bureaus.
Last month, he said, RouteOne warned its partner dealerships that six dealers had reported compromises to their logins consistent with being infected with spyware.
“The bulletin states further than RouteOne takes these matters very seriously and therefore has been in contact with the FBI and the US Secret Service”, said Krebs, adding that mass data collection, and the resulting potential for cybertheft, is a relatively recent problem.
Ten years ago, he asserted, data aggregation points like RouteOne didn’t exist, but the firm was created to speed credit and financing processes at dealerships, which previously had to navigate to and authenticate at multiple finance vendors, lenders and credit bureaus.
“Today, dealerships can access all this information with a user nameee and password at RouteOne.net, or via a RouteOne iPhone app”, he said.
While RouteOne did not suffer a data breach, the security researcher noted that some if its customers did.
“But that distinction is irrelevant to thieves who prize such access, and to consumers who find their identities hijacked and themselves saddled with unexpected debts from fraudulent new lines of credit opened in their names”, he said.
“The criminal underground is full of services that allow miscreants to look up Social Security numbers, dates of birth, maiden names, and other sensitive information”, he added.
“And while it's not clear where that data comes from, the most likely sources are compromised accounts at businesses and organizations that have easy and frequent access to consumer data.”