If you bought a car in the last few years, there’s a good chance your personal information may have found its way to the open internet.
Names, addresses, phone numbers and social security numbers for both customers and employees for over a hundred car dealerships have leaked online, all thanks to a centralized records system coupled with shoddy security.
The system, built and operated by DealerBuilt, an Iowa-based database software company, sells management systems for car dealerships across the US, offering a central system for sales, customer relations, and employee payroll needs.
Last week, MacKeeper security researchers found 128 dealership systems, known as LightYear machines, were backing up to DealerBuilt’s central systems without any encryption or security, allowing anyone to see what was being backed up.
The database was found on Shodan, a search engine for open and unsecured databases and devices connected to the internet, with an open port of 873, commonly used by the “rsync” protocol, which synchronizes copies of files between two different computers.
A handful of the databases were shared with ZDNet for verification, including Winner Ford in New Jersey, Mall of Georgia Chrysler Dodge Jeep Ram, and Vans Honda in Wisconsin, and Toyota of Danville in Illinois.
Each database includes dozens of tables each, including sales, messages between staff (including talk of bonuses in some cases), payroll data, and customer names and addresses. The databases also stored sensitive information like social security numbers of customers, but also the employees who work at these dealerships.
That could put those affected at a higher risk for identity theft or criminals filing false tax returns.
It’s not known the exact number of records, but the collective backup is thought to include a few million of records — perhaps as many as five million.
The customers we contacted whose details were listed in the various databases confirmed their name and phone number, and the car dealership they are a customer of.
The dealerships we spoke to confirmed they were customers of DealerBuilt.
“I’m shocked,” said one dealership owner we contacted. “Utterly shocked. I have more questions than answers.” Another was audibly taken back when told them of the leak, who then immediately asked how he should notify his customers. He said he was going to pull his system offline, then abruptly ended the call.
Another car dealership manager said he was “very concerned,” but declined to comment further until he spoke to DealerBuilt.
DealerBuilt doesn’t say how the company handles data security, but its website does say that its system “offers very high level security that allows only the people in your organization who have been approved with the access to the information that you want them to see.”
Adam Brown, chief technology officer at DealerBuilt declined to comment when reached by phone on Monday, and could not be reached Tuesday.
“This massive leak is just another painful lesson of what happens when private and sensitive data is stored without encryption or modern data security practices,” said the security researchers in its blog post.
The rsync backup has since been secured, but has not been acknowledged by the company. But as the researchers said, “it is unclear how many other people may have accessed the data.”