Working in #cybersecurity and especially in a #vCISO role certainly has its moments of premonition. We watch breach trends and do our best to prepare those we protect. It never feels good when these "told ya so" moments happen, but it does highlight the importance of the work we do. 

Last month, I gave a presentation at the Massachusetts State Auto Dealers Association annual meeting, titled "Dealership Security: State of the Industry from a Cybersecurity Perspective." In this presentation, I warned auto dealers of the likelihood of increased attacks within their industry, especially after the enhanced FTC Safeguards Rule and fines/penalties they are now subject to. In fact, a Midwest auto dealer was hit with a ransomware attack just days after the final amended FTC Safeguards Rule Deadline.

I had a slide that highlighted two concerning headlines from earlier this year: 

"Auto dealers are prime targets for hackers, warn researchers"

and 

"Toyota supplier portal breached by white hat hacker"

It's a lethal combination to have a vulnerable industry, which hackers have identified as ripe for the picking. My exact words during my presentation were: "Toyota was lucky it was a good guy that found it this time."

Late last week, this headline hit the news: "Toyota confirms breach after Medusa ransomware threatens to leak data." 

A ransomware attack to the tune of $8m, with the clock expiring this weekend at the threat of releasing a large amount of sensitive consumer and internal data. But, at least the attack group was "nice" enough to include an option to extend the deadline... At "only" $10,000/day...  

As those in cybersecurity know, attackers will leverage regulatory compliance as motivating factor for their victims to pay a ransom, as they know data breaches may result in fines/penalties. This effect is insult on top of the injury of downtime, resulting loss of revenue, damage to reputation, cost of credit monitoring services for victims of a breach, and countless other impacts - some directly financial and some intangible.  

These attackers know the stakes are higher now for the auto industry, especially with the latest amendment to the FTC Safeguards last month to include reporting requirements. The numbers the attackers chose for the ransom, time period, and extension option are likely not arbitrary, but carefully calculated to maximize inflicted damage and increase likelihood of payout. They do their research, know their targets, and are prepared.  

We must be more prepared.

Some hard-hitting industry-specific statistics here:

• Only 53% of polled auto dealers are confident in their security (actually up 16% from last year - more on that below*) 
• 17% of dealers experienced a cyber-attack or incident in the past year 
• The average ransom amount is $740,144 
• 84% of consumers polled would not purchase another vehicle from a dealership if their data was breached 

and of those dealerships that experienced a cyberattack:

• 85% reported that incidents occurred as a result of phishing 
• 46% resulted in negative financial/operational impact 
• 69% reported employee downtime 
• 31% reported damage to reputation 

*But - there is hope! Let’s move into the solution here:

• 75% of dealers that chose to become compliant with the FTC Safeguards saw significant improvement of their security after those efforts 
• The key actions identified above included: 

• Identifying a qualified individual to oversee their cybersecurity  
• Implementing cybersecurity training for all employees 
• Implementing multi-factor authentication throughout the network 
• Performing a risk assessment, conducted by a reputable source 
• Basing their information security program on aforementioned risk assessment 
• Developing an Incident Response Plan 

If you haven’t taken these steps towards compliance and improving overall security, now is the time to start. OCD Tech has spent the past 10+ years helping auto dealers to be more secure, through the processes mentioned above, even prior to the amendments to the FTC Safeguards Rule. These attacks are not likely to decrease until we change attackers’ opinion of the industry. It’s imperative that dealers work with a partner to implement these security best practices above, to best protect themselves against these ever-increasing, ever-evolving threats.

Sources:

https://www.scmagazine.com/news/auto-dealers-are-prime-targets-for-hackers-warn-researchers

https://cybersecurity.att.com/blogs/security-essentials/how-to-protect-your-car-dealership-from-cyber-attacks

https://www.cdkglobal.com/media-center/driving-danger-cdk-global-2023-cybersecurity-report-reveals-rise-auto-dealership

https://www.bleepingcomputer.com/news/security/toyota-confirms-breach-after-medusa-ransomware-threatens-to-leak-data/#google_vignette

https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches

https://www.autonews.com/mobility-report/how-toyotas-supplier-portal-got-hacked