The initial shock from last year’s string of cybersecurity breaches – including high-profile attacks on CDK Global and Finlay Automotive Group, Henderson, NV – deepened as auto dealers recognized their own systems were vulnerable, only for the alarm to quickly fade.

Yet dealerships can still be careless in protecting customer information.

“Many dealerships had no plan, no backups and no way to do business," says Mark Begley, chief revenue officer for Roswell, GA-based DealerOps, which provides data integrity services to dealerships. “It just seems as though dealerships have had their heads in the sand for a long time, and they just don’t realize the kind of peril that could bring their business to a screeching halt,” Begley says during a webinar hosted by the American International Automobile Dealers Assn.

“Chaos” = Cyber Risk

It’s a particularly bad time for dealerships to be careless, because experience shows that cybercrime spikes in times of economic “chaos,” says webinar speaker Erik Nachbahr, founder and president of Helion Technologies, a Baltimore-based dealership information technologies service vendor specializing in cybersecurity.

“Dealers have to worry about threats rising, juxtaposed with budgets tightening. We’re not buying things that we need to be buying,” Nachbahr says. “I wish I had a nickel for every IT person I talk to, who says, ‘I’ve got too much to do’ – they’re pulled in different directions.”

True, There’s Insurance, But….

Dealers can secure insurance against cybersecurity breaches. First-quarter reports from publicly traded dealer groups referred to large insurance payments related to the CDK shutdown. Asbury Automotive Group, for instance, lists $7 million of cyber insurance recovery proceeds in its report for the first quarter of 2025.

But separately – without naming any specific companies – Begley of DealerOps says it might be hard to renew a policy after a big claim. A dealer group client had an $82,000 loss after an employee clicked on a legitimate-looking email that turned out to be a fake, he says.

“Fortunately, they had cyber insurance. That paid for the claim, but probably, also possibly, put them in a position of not being able to renew that policy,” he says.

Password “1234”

Despite recent history, dealerships can still be inexcusably lazy with cybersecurity, says Begley.

“I can’t tell you how many dealerships still share logins like, “parts1,” ”service123,”’ “finance5” or whatever it is,” Begley says. He recommends dealerships regularly review passwords, change them periodically and discard unused passwords.

“Worse yet, when somebody leaves the dealership, the new person continues to use that person’s credential. This provides continued access for the person who’s no longer an employee of the dealership, and no longer bound by the rules,” Begley says.

Dealerships are “Pinatas”

Experts, including Begley, Nachbahr and other competitors, have warned for years that dealerships are a prime target for cybercriminals.

“Why are dealerships being targeted? Dealerships are like a digital piñata for hackers: personal identifiable information, or PII; financial records; DMS connections; and vendor logins. It’s all a gold mine of lightly guarded information,” he says in the webinar.

The “lightly guarded” part is surprisingly common. It’s common knowledge that dealership employees are very often responsible for clicking on an innocent-looking e-mail that turns out to be phony.

Inside Jobs

It’s not always an accident, either, when employees – or ex-employees – introduce computer viruses, Begley acknowledges.

“Not every threat is external. Employees, whether intentional or not, can expose sensitive data,” he says. “I really don’t like talking about it, but inside fraud is real.”

“Sometimes it’s malicious, but sometimes it’s just negligence,” Begley says.

Carelessness can include leaving paper reports on work desks, keeping monitors running overnight and repeating a customer’s credit card number over the phone where others can hear them, he says.

Everybody’s Job

Many dealership employees still need to fully buy into the idea that cybersecurity is everyone’s job, not just the IT department’s, Begley says. Dealership executive management needs to show its buy-in, too.

“Culture is your first line of defense. And it starts with training. Your team is your firewall,” he says. “Regular, simple training goes a long, long way: how to spot a phishing email; when to flag a suspicious activity; how to say no to urgent money requests,” which may turn out to have come from an impersonator.

The stakes are high.

“Security isn’t a background task,” Begley says. “It’s actually core to keeping your business alive. It’s the difference between being in business –  or possibly bankrupt.”