February 20. 2017 (UPDATED) — The industry had a scare last Thursday when it appeared that a large data breach occurred involving several dealer management system (DMS) providers and dealer groups.
What actually happened was much more benign, and involved none of the DMS vendors. Nor did the event involve any sensitive personal data.
The fallout, however, could be far-reaching.
Below are the facts that TBR has been able to put together after seeing the evidence along with several conversations with many of the affected players.
Last Thursday afternoon (February 16) someone sent an email to dealer executives, DMS vendor executives and an industry consultant claiming to have used a team of hackers to obtain millions of CRM records from the Dealertrack, CDK and Reynold and Reynolds systems.
The email was made to look like it had come from a team of hackers well-known to people playing in that world. It was also sent using an email server connected to Tor, which is software designed to allow anonymous communication on the Internet, and commonly used by the hacker community.
A key point is that none of the data came from the DMS provider systems. Even though three of the providers were mentioned in the email, none of their systems were breached or affected in any way.
A second key point is that none of the data is considered to be sensitive PII (personal identifiable information) in most states. The data did not include any encrypted information or data such as social security numbers; financial data; birthdays or anything else that would be deemed sensitive. (A caveat here: I’m not an attorney or an expert in cyber protection or cyber law. My assessment is based on research and what several of the affected companies have relayed to me).
The email also included six URLs to what is known as a paste bin site, used to upload and share text files. Each URL contained text data with customer information from six different dealer groups that the email named. (We’re not naming the six dealer groups to protect them from further unnecessary pain or scrutiny).
Each file included only 5,000 customer records with different variations of name, phone number, email address, home address, date of last service visit and the vehicle serviced.
The URLs are no longer active nor is the data accessible.
So what happened? First, it was not a breach and does meet the threshold of what the government calls a “reportable breach.” It turned out to be a clumsy and amateur attempt to sabotage ELEAD1ONE.
The evidence points to an ELead employee who re-accessed previous legitimate searches made by dealership personnel using a low-level application called “Advanced Search” to extract the data. The search tool is available to most dealership personnel who use the ELead CRM. A few days after extracting the data, the employee resigned.
Furthermore, the application has no access to encrypted data or PII data. In addition to the six dealerships whose data was uploaded to the paste bin site, ELead determined the perpetrator also pulled data from another 25 dealerships — 5,000 records each, or a total of 155,000 records (for all 31 stores) which were not uploaded to the Web.
Later this week, ELead likely will present its evidence to the authorities and press charges against the former employee.
Except for the threatening email, this incident should have been a non-event. Every industry has data files like these floating around. I’ve seen data files with millions of customer records, some with much more sensitive information than the ones stemming from this event.
Data like this gets passed around every day. They get added to, de-duped, cleansed, sold and resold — and it’s common to every industry.
Nevertheless, the email sent the affected parties scrambling. Hundreds of thousands of dollars were spent trying to determine whether the threat was legitimate.
ELead very quickly started piecing together what happened. Its findings evolved over the weekend as it delved deeper into the investigation, but it was clear there was no threat and that none of the DMS providers had been breached, or were even part of the event.
As expected, ELead took the appropriate steps to fix what was, apparently, an isolated incident.
CDK and Dealertrack worked with ELead and accepted its findings.
Reynolds and Reynolds took a much more aggressive stance, however, shutting down integration between its DMS and the ELead CRM for approximately 1,000 dealerships Thursday evening. Numerous dealerships reported to TBR they learned of the shutdown after the fact.
As of now, only six of Reynolds’ customers had limited data uploaded to the Web. We understand another five of their customers had data that was also extracted but not uploaded.
But it wasn’t data from the Reynolds systems. Furthermore, Reynolds is only involved because of an email threat that turned out to be a hoax and the fact that some of the affected dealers use its DMS.
Meanwhile, nearly 1,000 dealerships with no knowledge of what happened, nor were part of the situation, have had to operate with no integration between their CRM and DMS over one of the busiest sales weekends of the year.
Discussions between the two companies have been ongoing throughout the weekend and today, but as of the publishing of this report, integration still has yet to be restored. Meanwhile, we’re hearing rumors of possible legal action in the next couple of days.
Reynolds’s position seems to be that it’s not comfortable that ELead has a complete grasp of the situation. This, despite all of the evidence up to this point, showing there never was a threat to either Reynolds or the other DMS vendors.
In a statement emailed to TBR, Reynolds says:
“We are aware of a claim that certain files from a third party CRM vendor – eLead – may have been accessed without authorization. The potential unauthorized access may have included dealership and customer information. However, we have seen no evidence that any unauthorized party accessed the Reynolds system. As a result – and out of an abundance of caution – we have temporarily suspended the exchange of data between a Reynolds DMS and eLead. We are working with eLead – and will continue to work with them – until the situation is resolved.”
Meanwhile, many of ELead’s customers, Dealertrack and CDK, a $2 billion public company with significant legal and financial exposure should a breach occur, seems to believe there never was a threat and is satisfied with the actions ELead has taken.
Reynolds’ response seems to escalate what may be a minor blip into a much bigger story that now becomes part of the ongoing saga in the battle of data access in the automotive retail industry. Other than ELead pressing charges against the perpetrator, this should be a closed incident, based on the evidence we’ve seen.
The importance of data security in the industry cannot be overstated. And we have to be better, as dealers, as journalists, trainers and vendors, at protecting customer information. And the DMS vendors bear a huge portion of the cost and legal exposure to maintain data security.
But the truth is, situations like ELead found itself in, are going to continue. More vendors and dealers are going to find themselves the victims of malicious actions. It’s the world we live in.
Events such as this demand rational responses. But there is little agreement on how to define “rational.” Reynolds often takes the more aggressive stance claiming it has a responsibility to protect both the security of its systems. By doing so, it says it is protecting the security of the data of its dealership customers.
But that stance often interferes with the business operations of the dealers it says it is protecting. And sometimes, it appears it uses a sledge hammer when a fly swatter would suffice.
Again, this is part of a much bigger story. The industry also has to resolve the issue of how vendors get access to the dealer’s DMS data. It is a problem and it’s one that has plagued the auto retail space for far too long.
The battle is growing in intensity as dealers continually find themselves caught in the middle — and often at the most inconvenient times. As we wrote in 2015, this battle is going nuclear.
And it will be one of the biggest stories of 2017. And it’s likely going to take several legal battles to sort it out.
UPDATE: Reynolds and Reynolds restored access to ELead’s CRM last Friday ((February 24). Below is a joint statement released by Reynolds and ELead.
Reynolds and eLead are pleased to announce that the reported security incident with respect to eLead’s system, which first surfaced late Thursday evening, February 16, has been resolved. eLead and Reynolds value their relationship and are both committed to data security through secure Reynolds Certified Interface integration for the benefit of their mutual dealership customers.
Following its Standard Security Protocol, Reynolds disabled the eLead interface with the Reynolds DMS once Reynolds verified that a self-proclaimed hacker had publicly posted more than 30,000 customer files to the Internet, which Reynolds traced to the eLead software.
The customer files included in the unauthorized disclosure contained customer data including names, addresses, email, phone, and certain buying and servicing data related to those customers.
The dealership customers involved were customers of eLead. Those dealerships included customers of Reynolds as well as other DMS providers.
Since the initial reports of the incident, Reynolds and eLead have engaged independent data security experts to perform forensic analyses.
eLead supports Reynolds’ efforts to ensure data security and has supported the investigation by Reynolds’ experts into the incident. eLead’s support of Reynolds’ efforts included providing evidence to Reynolds’ independently-retained data security experts.
As investigation into the security incident has unfolded, it has been confirmed by eLead that the incident was precipitated by an eLead employee who is no longer with the company.
eLead has provided evidence and assurances that the security event is now understood, has been contained, and that appropriate steps are being taken to prevent further incidents. Based on evidence provided by eLead and its experts, Reynolds’ experts have concluded that eLead’s DMS integration may be restored.
Reynolds and eLead understand the disruption to the marketplace that a security incident like this may cause. Reynolds and eLead value the patience of their customers, and their understanding of the importance of data security and in Reynolds following its Standard Security Protocol in order to resolve any security incidents that may occur.
For more analysis on the data access and cyber security issues: