Working in cybersecurity and especially in a consulting role certainly has its moments of premonition. We watch breach trends and do our best to prepare those we protect. It never feels good when these “told you so” moments happen, but it does highlight the importance of the work we do.
In October, I gave a presentation at the Massachusetts State Auto Dealers Association’s annual meeting, titled “Dealership Security: State of the Industry from a Cybersecurity Perspective.” In this presentation, I warned auto dealers of the likelihood of increased attacks within the industry, especially after the enhanced FTC Safeguards Rule and fines/penalties they are now subject to. In fact, a Midwest auto dealer was hit with a ransomware attack just days after the final amended FTC Safeguards Rule Deadline.
I had a slide that highlighted two concerning headlines from earlier this year:
“Auto dealers are prime targets for hackers, warn researchers“
“Toyota supplier portal breached by white hat hacker”
It’s a lethal combination to have a vulnerable industry, which hackers have identified as ripe for the picking. Attackers often share information regarding potential targets and methods. Research shows that they identify the auto industry as an ideal target, citing outdated technology and inadequately trained workforce as the reason. My exact words during my presentation were: “Toyota was lucky it was a good guy that found it this time.”
And then recently, this headline hit the news: “Toyota confirms breach after Medusa ransomware threatens to leak data.” Toyota was not so lucky this time.
Toyota Financial Services Europe & Africa was the victim of a ransomware attack to the tune of $8 million, at the threat of releasing a large amount of sensitive consumer and internal data. But, at least the attack group was “nice” enough to include an option to extend the deadline… At “only” $10,000 a day…
Medusa has since made the stolen data available for purchase on their dark web site, indicating that the ransom was not paid. Toyota then started notifying some German customers that their financial information was compromised as a result of the breach. While Toyota has not confirmed the cause of the breach, it has been speculated that stolen credentials or phishing could have been the cause. A security researcher also posted publicly prior to the incident that Toyota Financial Services had an exposed system in Germany with a known vulnerability called “CitrixBleed,” which ransomware groups have been targeting. All these speculated attack vectors point back to the same weaknesses attackers highlighted as a reason to prey on the industry earlier this year.
A new trend we see with these attacks, is attackers leveraging regulatory compliance as a motivating factor for their victims to pay a ransom, as they know data breaches may result in fines/penalties. This effect is insult on top of the injury of downtime, resulting loss of revenue, damage to reputation, cost of credit monitoring services for victims of a breach and countless other impacts — some directly financial and others intangible.
These attackers know the stakes are higher now for the auto industry, especially with the latest amendment to the FTC Safeguards last month to include reporting requirements. In other regulated industries, we’ve started to see attackers employ a new tactic — threatening not only to release compromised data, but also to report their victims to a regulatory authority. Just last month a ransomware group filed a complaint with the U.S. Securities & Exchange Commission when one of its victims, a software company, failed to meet the reporting threshold under a new rule, similar to the requirements the FTC has adopted (albeit with a much shorter window for reporting).
The amounts the attackers chose for the Toyota ransom, expiration date and extension option are not arbitrary, but carefully calculated to maximize inflicted damage and increase likelihood of payout. They do their research, know their targets and are prepared.
We must be more prepared.
Some hard-hitting industry-specific statistics here:
- Only 53% of polled auto dealers are confident in their security (actually up 16% from last year. More on that below.*)
- 17% of dealers experienced a cyberattack or incident in the past year.
- The average ransom amount is $740,144.
- 84% of consumers polled would not purchase another vehicle from a dealership if their data was breached.
and of those dealerships that experienced a cyberattack:
- 85% reported that incidents occurred as a result of phishing
- 46% resulted in negative financial/operational impact
- 69% reported employee downtime
- 31% reported damage to reputation
*But — there is hope! Let’s move into the solution here:
- 75% of dealers that chose to become compliant with the FTC Safeguards saw significant improvement of their security after those efforts.
- The key actions identified above included:
- Identifying a qualified individual to oversee their cybersecurity
- Implementing cybersecurity training for all employees
- Implementing multi-factor authentication throughout the network
- Performing a risk assessment, conducted by a reputable source
- Basing their information security program on aforementioned risk assessment
- Developing an Incident Response Plan
If you haven’t taken these steps toward compliance and improving overall security, now is the time to start.
These attacks are not likely to decrease until we change attackers’ opinion of the industry. It’s imperative that dealers work with a partner to implement these security best practices above, to best protect themselves against these ever-increasing, ever-evolving threats.