Once upon a time, shopping for a car was pretty straightforward. Potential buyers would trawl the small ads or visit a used car dealership. Those on the hunt for a new or nearly-new vehicle might head for a franchised dealership. Cash or a finance deal would secure the car of choice. A trade-in might be a part of the deal, and, aside from exchanging a few simple documents, that was pretty much it. The only challenge was getting the best price and resisting the lure of the options list.
The internet has changed all that to the point where some buyers can go through the entire process without looking up from their screens – let alone bothering with a test drive or flesh and blood car salesman. Makes, models, colour and specifications can all be selected online and dealers can quickly locate a desired vehicle from a nationwide network. To make the process easier, all that dealers need are a few details from the buyer…
Inevitably, this is where things get complicated. In the US, a massive data leak in August resulted in 198 million records from a car buyer marketing database being exposed online.
Jeremiah Fowler, a senior security researcher at Security Discovery, became curious when he repeatedly came across the same 413GB dataset. “It was clear that this was a compilation of potential car buyers wanting more information,” he said, as the data included “loan and finance inquiries, vehicles that were for sale, log data with IP addresses of visitors, and more.” After some investigation, he discovered that all of the website domains concerned linked to the same place: dealerleads.com.
DealerLeads describes itself as “The highest converting vendor in the automotive industry four years running according to Google Analytics!” According to the DealerLeads website, they have “collected and purchased popular automobile relevant domains based on search terms used by car buyers,” for 20 years. The DealerLeads system aims to drive first generation leads directly to the websites of car dealers, claiming conversion rates of 18% compared to third party leads that convert only 5%-7%.
The 198 million records held on the unsecured database includes names, email addresses, phone numbers and street addresses along with, “other sensitive or identifiable information exposed to the public internet in plain text.” Data such as IP addresses, ports, pathways and storage info could be exploited by cybercriminals to further navigate the network.
As soon as Fowler found the DealerLeads connection, he reported his discovery of the 198 million records, non-password protected, Elasticsearch database to the company by email. That was on August 19.
On August 20, he confirmed that the database was still online and exposed to anyone who cared to look for it. It was time for a phone call. “I was able to speak with the general sales manager,” Fowler said, “who was concerned and professional with getting the information secured and public access was closed shortly after my notification by phone.”
DealerLeads were quick to act in password-protecting the database once it had been notified. However the data had already been exposed and had been accessible to anyone. Fowler said that it was “unclear if DealerLeads has notified individuals, dealerships, or authorities about the data incident,” and, as a result “potential customers may not know if their data was exposed.” As far as can be established, the breach has only affected car buyers in North America.
“Not a week goes by without more companies exposing cloud-based data publicly,” Javvad Malik, security awareness advocate at KnowBe4 said, “while on the surface this appears to be a technical misconfiguration issue, the root cause goes much deeper into the culture of security, or lack thereof, that many companies have.” Malik advised businesses to treat customer data as if it were radioactive material: “with great caution, using effective protection and only the amounts that are absolutely necessary.”
Jonathan Knudsen, a senior security strategist at Synopsys, commented: “all that was needed was a simple policy that every internet-facing system needs password protection, data encryption, or other fundamental protections.” These simple, fundamental security policies, costing little to implement, “can dramatically reduce risk and provide a springboard to implementing a more comprehensive software security initiative.”
“This breach once again highlights the advantage adversaries have against defenders,” Israel Barak, chief information security officer at Cybereason said, “the vast attack surface is extremely difficult to defend, and when databases are left exposed in the manner that is being reported, it doesn’t take a lot of ingenuity or creativity for the adversary to stay one step ahead of defenders.” Barak said that this is just one more wake-up call for security hygiene to be improved.
For more information, take a look at this article in Forbes Magazine.