Auto Dealer Cybersecurity. PHOTO: Cybercrime Magazine.

15 Auto Dealership Cybersecurity Statistics That Will Drive You to Action

It’s not just cars that can crash Sponsored by Helion

– Casey Crane

St. Petersburg, Fla. – Feb. 14, 2020

The risk of cyberattacks for auto dealers is higher than ever, and so are the costs — most consumers say they won’t buy from a dealer that’s had a data breach.

Cybercrime is growing in many industries — and the automotive industry is no different. In fact, Cybersecurity Ventures forecasts that the worldwide annual cost of cybercrime will reach $6 trillion by 2021.

However, this article isn’t your run-of-the-mill report that talks about the vulnerabilities of vehicles and the connected systems they employ. Instead, we’re sharing the top cybersecurity statistics and concerns that relate specifically to auto dealerships.

The Landscape of Cybercrime Is Changing for Auto Dealers

 Auto dealerships are attractive targets for cybercriminals because they collect, process, and store large quantities of customer data within their dealership management systems (DMSs). Personal data? Check. Credit applications? Check. Financing information? Literal “check.”

But what makes auto dealers so vulnerable? If you ask Erik Nachbahr, founder and president of Helion Technologies — a leader in IT services for the automotive industry — the answer is twofold.

“It’s important to understand that today’s cybercriminals are technically sophisticated and well equipped,” says Nachbahr, a CISSP who founded Helion more than 20 years ago. “However, most dealerships run on outdated technology maintained by IT personnel that are not professionally trained to defend against this threat. This won’t work.”

Considering that some dealership groups report that up to 20 vendors may have access to their DMSs or other internal systems, it goes to show how quickly things can go pear-shaped if even just one of their employees becomes compromised.

To get a clear picture that illustrates why Nachbahr and other IT security experts in the auto industry are so concerned regarding this looming threat, let’s look at the numbers:

15 Cyber Statistics Concerning Auto Dealerships

1. Social engineering is thought to be the leading tactic used in phishing and cyberattacks on auto dealers, Helion Technologies reports. In some ways, it comes as no surprise considering that KnowBe4 estimates that “91 percent of attacks rely on social engineering.”

2. PointPredictive, an auto finance AI firm that tracks fraud, reports that business email compromise (BEC) attacks are a growing issue for luxury auto dealerships and lenders. This increase is in line with research from the FBI concerning increasing BEC attacks. Data from their Internet Crime Complaint Center (IC3) indicates that domestic and international losses from BEC/email account compromise was more than $26 billion between June 2016 and July 2019.

3. Toyota and Lexus reported in 2019 that as many as 3.1 million pieces of customer data may have become compromised by an attack on auto dealerships in Australia, Japan, Thailand, and Vietnam. Forbes reports that the data was stored in a server that was connected to the affected network.

4. Auto dealerships are under constant threat from cyberattacks. Automotive News reports that “On an average day, 153 viruses and 84 malicious spam emails are blocked by technology on a dealerships network.”

5. 84 percent of surveyed consumers say that they “would not buy another car from a dealership after their data had been compromised,” according to Total Dealer Compliance. This data demonstrates the significant impact a data breach can have on a dealership’s reputation.

6. The same survey from Total Dealer Compliance reports that only 30 percent of dealers employ IT personnel who have completed computer security training or certifications.

7. The Federal Trade Commission reports that there were 38,561 reported cases of identity theft related to auto loans and leases in 2019. That’s an increase of 105 percent over the previous year!

8. 63 percent of CDK Global’s 2018 survey respondents said their dealerships don’t have formal processes in place to respond to data breaches and other security incidents on their networks.

9. 85 percent of IT-related employees shared with CDK Global that within the past two years, their dealerships were victims of at least one cybersecurity incident. This is despite 67 percent of respondents reporting that they felt confident in their cybersecurity measures before the incident.

10. Dealerships that offer financing are subject to state and federal laws, including the Gramm-Leach-Bliley Act and its Safeguards Rule. And non-compliance can be costly. According to Total Dealer Compliance, violators can face up to $10,000 per violation and/or up to five years of prison (for individuals who are found liable). And dealerships themselves can face penalties of up to $100,000 per violation.

11. Under the California Consumer Privacy Act (CCPA), which became effective Jan. 1, 2020, auto dealerships are required to adhere to new data privacy requirements. In terms of fines, Helion Technologies reports that any intentional violations can cost as much as $7,500 — or $2,500 for incidents deemed as negligence — per affected customer.

12. 66 percent of top decision-makers at small and mid-size businesses (SMBs), which include auto dealers, don’t think that a cyberattack will happen to them. This cavalier mindset is particularly worrisome considering that Keeper Security’s research indicates that more than 50 percent of cyberattacks target small businesses.

13. Ransomware attacks will occur every 11 seconds by 2021, according to forecasts from Cybersecurity Ventures. And ransomware is a growing concern for auto dealers — one that Helion Technologies identifies as the second greatest cybersecurity threat to auto dealerships.

14. In December 2019, one of the largest dealerships in South Florida found itself the target of a ransomware attack. WPBF News reports that the company was left footing a $285,000 bill to replace affected computers after the attack. KnowBe4 reports that the estimated remediation costs for the business are even higher — “close to half a million dollars.”

15. 73 percent of consumers report that they’d be more comfortable working with staff at auto dealerships that have completed compliance training and display their certifications, according to Total Dealer Compliance. This is particularly significant considering that only 37 percent of surveyed dealerships indicate that they offer compliance training to all employees.

So, with all of this in mind, what should dealerships do to protect themselves and to mitigate the data privacy risks for their customers? Security awareness training is a must. But there’s something else Nachbahr also recommends.

“Implementing and maintaining dealer IT best practices is the only way to mitigate the risk of a breach,” says Nachbahr, who emphasizes the importance of partnering with reliable IT services to maintain data security compliance. “This requires continuous monitoring and in-depth knowledge of current threats and countermeasures.”

It’s not just cars that can crash. Dealerships can too.

– Casey Crane is a freelance writer.

Sponsored by Helion

Helion has been providing end-to-end IT services to auto and truck dealers since 1997.

Helion is the largest dealership-specific IT service provider. We understand the evolving technologies, government regulations, cybersecurity threats, and business conditions that shape the industry.
Our best practices are based on 20+ years of experience providing dealership IT services.