If you’ve recently purchased a car, your personal information may have been leaked. Recently, 198 million records from a marketing database have been breached. Jeremiah Fowler, a senior security researcher at Security Discovery, discovered the same 413GB dataset multiple times online. "It was clear that this was a compilation of potential car buyers wanting more information," Fowler said. The data included loan and finance inquiries, vehicles for sale, log data with visitor IP addresses, etc.
After investigating the 413GB dataset that he had came across "several times in the previous weeks," Fowler thought it might be an automobile sales directory since there were links to lead-generation and small dealership sites. The researcher’s investigation found that all the website domains linked back to the same site — dealerleads.com
DealerLeads, which describes itself on LinkedIn as "the highest converting vendor in the automotive industry four years running according to Google Analytics," is a company that has "collected and purchased popular automobile relevant domains based on search terms used by car buyers" for the past 20 years. "We have turned these frequently used search terms into a variety of websites SEO'd to match those search terms," the company adds. "These sites capture users at all stages of the buying funnel."
The DealerLeads system then drives first-generation leads directly to car dealer websites with conversion rates of 18% compared to third party leads that convert at 5%-7%. The unsecured database contained 198 million records including names, email addresses, phone numbers, street addresses as well as other personal information exposed openly to the internet. Fowler says that data such as IP addresses, ports, pathways and storage info could be used by cybercriminals to further navigate the network.
After the security researcher discovered the DealerLeads connection, he reported his detection of 198 million non-password protected records to the company by email on August 19. A day later, he verified that the database was still online and exposed, so he decided to call the company directly. "I was able to speak with the general sales manager," Fowler said, "who was concerned and professional with getting the information secured and public access was closed shortly after my notification by phone."
Although DealerLeads acted quickly, the data had already been exposed and accessible for an indeterminate amount of time. Fowler remains uncertain if DealerLeads has informed individuals, dealerships, or authorities about the data breach, therefore, affected potential customers may be unaware that their data was exposed.
According to Javvad Malik, a security awareness advocate at KnowBe4, "Not a week goes by without more companies exposing cloud-based data publicly. While on the surface this appears to be a technical misconfiguration issue, the root cause goes much deeper into the culture of security, or lack thereof, that many companies have." Malik believes businesses should treat customer data as if it were radioactive material — "with great caution, using effective protection and only the amounts that are absolutely necessary."
Jonathan Knudsen, a senior security strategist at Synopsys, adds that "all that was needed was a simple policy that every internet-facing system needs password protection, data encryption, or other fundamental protections." These basic security policies are relatively inexpensive to implement and can considerably reduce risk and provide a catalyst to implement a more wide-ranging software security initiative.