It takes less than a minute and three pieces of information for a smooth-talking thief to pull off a security breach involving car dealerships’ customer information.
So says John Pappanastos, CEO and president of EFG Companies, a provider of F&I products and services.
He calls on “all participants in the retail automotive chain to lock down their data.” That includes dealers and their software vendors.
In the cited ruse, a shady character will obtain information such as a dealership customer’s name, address and phone number, and then, impersonating a dealership employee, call the consumer.
“They will say something such as, ‘We have a problem, and need to run your down payment again,’” Pappanastos tells WardsAuto. “The customer says, ‘Sure,’ and provides credit-card information” and potentially more.
It is up to the dealership to prevent that from happening, he says. That means keeping sensitive information under lock and key, both physically and digitally.
Although it is not out of the question for an outside hacker to breach a dealership’s data system, it also is possible for the crime to trace back to a disreputable or careless employee. Or to a former staffer. The high staff turnover rate at many dealerships contributes to data insecurity, Pappanastos says.
“A lot of data security doesn’t involve hacking, he says. “From our perspective, it’s more of a business challenge.” Citing a recent scandal, he says, “For instance, I would consider a data issue the ability of Wells Fargo branch employees to put products on the bills of people who didn’t order them.
“My dealer clients tell me they are most concerned about their own employees. That’s the first line of defense. They are more concerned about safeguards involving their employees’ behavior, and less concerned about an outside hacker coming after them. The issue involves internal processes and data controls.”
That’s not to say outside hackers aren’t a threat or concern among both dealers and their customers. A Gemalto survey indicates 69% of consumers believe companies do not take consumer data security seriously enough.
The publicity from some high-profile hackings draws those consumers to that conclusion, Pappanastos says.
Referring to the widespread hack at Equifax in 2017, he says, “When you have a breach at one of our three major credit bureaus and it exposes information on 100 million consumers, that raises the alert.
“You would think that if anyone has a strong data security system, it would be a major credit bureau.”
An IBM-commissioned study says the average total cost of a security breach was $3.62 million. The average probability of a company suffering a security breach within the next two years is 27.7%.
EFG Companies recommends companies in the retail-automotive chain ask the following questions as first steps in achieving data security.
- Have I conducted a complete security risk assessment, including all access points and partners?
- Does my written “Information Security Program” document include procedures for each department that handles digital and physical consumer data?
- Have I reviewed all reasonably foreseeable risks that could result in unauthorized disclosure or compromise of consumer data? Am I protecting customer information from collection to disposal?
- Have I identified a designated person responsible for customer information security, with authority to implement the program?
- How do I foresee manageable risks that could result in unauthorized disclosure of private consumer information? For example, am I overseeing partners that might have access to, or take possession of, customer information? Do my agreements with these partners require them to implement appropriate safeguards?
- Does my company have sufficient training, oversight and procedures for securing private consumer data?
“From vulnerable photocopier hard drives to digital CRMs, we believe digital data security should be a key business objective for every retail automotive dealer, lender and partner,” Pappanastos says. “While important, simply locking a file cabinet or putting a screen protector on a monitor is not sufficient.”
EFG works with client dealers toward those goals. But Pappanastos emphasizes dealerships must “take ownership” of the mission to achieve best results.
“That is the key,” he says. “You don’t want to own it for them. Otherwise you put a target on your back and they assume you are responsible.”