With international criminal hackers becoming more diverse and sophisticated, directly targeting auto dealerships would provide a treasure trove of financial and proprietary information. This information could range from auto company and dealership internal data, or customer personal identifying information (purchase agreements and financing documents), to automotive industry vendor support for that local dealership.
A Wisconsin based auto group is taking their data as “a sacred trust.” This conglomerate is actually targeting their vendor companies, who support their 15 dealerships. These vendors must meet their internal cyber security requirements before they do business. The group’s rigorous vendor cyber standards are just a part of its broader effort to stay ahead of data security threats. The strategy includes installing sophisticated firewalls, providing cyber security training, sending regular phishing email tests and limiting network access.
Some of the biggest vulnerability challenges were identified as automotive vendors who have poor cyber security practices. If bad practices are identified, delasherships should mandate higher standards or find a new vendor. As auto vendors are changing on a regular basis, due diligence must remain a constant practice. As a routine and before doing any business, auto vendors must agree to cyber security concern.[1]
On 14 March 2019, Vietnamese hacking group APT32 or OceanLotus obtained access to Toyota and Lexus sales subsidiary servers, which contained credit card information and financial information. It is alleged that an innocent “chat” with a Toyota Australia dealership employee lead to this attack. Researchers believe OceanLotus was able to access private information from the company’s sales records to the tune of 3.1 million Australian Toyota customers.[2]
With international criminal hackers becoming more diverse and sophisticated, directly targeting auto dealerships would provide a treasure trove of financial and proprietary information. This information could range from auto company and dealership internal data, or customer personal identifying information (purchase agreements and financing documents), to automotive industry vendor support for that local dealership.
A Wisconsin based auto group is taking their data as “a sacred trust.” This conglomerate is actually targeting their vendor companies, who support their 15 dealerships. These vendors must meet their internal cyber security requirements before they do business. The group’s rigorous vendor cyber standards are just a part of its broader effort to stay ahead of data security threats. The strategy includes installing sophisticated firewalls, providing cyber security training, sending regular phishing email tests and limiting network access.
Some of the biggest vulnerability challenges were identified as automotive vendors who have poor cyber security practices. If bad practices are identified, delasherships should mandate higher standards or find a new vendor. As auto vendors are changing on a regular basis, due diligence must remain a constant practice. As a routine and before doing any business, auto vendors must agree to cyber security concern.[1]
On 14 March 2019, Vietnamese hacking group APT32 or OceanLotus obtained access to Toyota and Lexus sales subsidiary servers, which contained credit card information and financial information. It is alleged that an innocent “chat” with a Toyota Australia dealership employee lead to this attack. Researchers believe OceanLotus was able to access private information from the company’s sales records to the tune of 3.1 million Australian Toyota customers.[2]
Protecting your Data – As we can see from the Australian Toyota breach, auto dealerships need to become cyber aware and must diligently strive to stay ahead of data security threats. This by first identifying the threats and vulnerabilities and at the same time implementing stringent internal and external cyber security standards. They must install high-level firewalls, conduct cyber security awareness, send regular phishing email tests to their employees and limiting their network access.
Phishing tests – The Wisconsin auto group sold 9,336 new vehicles and 7,855 used retail vehicles in 2018. They employ a three-person IT team to oversees cybersecurity and other IT tasks. Most dealerships sub-contract network security and do not even have on sight IT experts. Once a month, send employees a phishing email. The subject line should contain an enticing lure to open the email. Something auto related or salacious. If the employee clicks on the test email link, open the attachment or enter their username and password; the internal system will identify that person for cyber security training. These type tests can be automated and become routine. Phishing remains the highest tactic to initiate a cyber-attack. In February, about half of their employees reported the test email as phishing, while 35 percent deleted or ignored it, thus passing the test. About 15 percent clicked the link in the email. It only takes one successful click for a hacker to enter a network.
Cyber Security Ignorance – Smart auto groups should build or add to their networks with security as a number one concern. Basic training in cyber security to all their employees is an imperative key to success. Also, dealerships should have a reliable backup system and sound procedures. Firewall with 24/7 monitoring to block threats is a sensible investment. Some dealerships offer separate networks for customers and employees, while keeping internal networks at lower risks of attacks.
Wapack Labs offers a service called RedXray, which provides dealerships a view regarding vulnerabilities of your supplier, customer, vendor, or subsidiary and indicated if they are in cyber trouble? RedXray will notify your auto group of any threats in your enrolled auto related entities. For use in auto supply chains, you can see who is at risk on daily basis and comply with NIST 800-171 rules. If a supplier, customer or partner is having cyber issues, you can identify the problem quickly and easily, and thus mitigate your losses immediately.
Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence organization. For questions or comments regarding this report or RedXray, please contact our lab directly by at 1-844-492-7225, or feedback@wapacklabs.com.
[1] https://www.autonews.com/best-practices/dealerships-cybersecurity-plan-targets-vendors
[2] https://www.hackread.com/toyota-data-breach-hackers-steal-3-1-million-customers-data/
Comments