BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Small-time security threats bigger concern

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 9 Mar 2015 22:46:08 -0600
http://www.autonews.com/article/20150309/FINANCE_AND_INSURANCE/303099941/small-time-security-threats-bigger-concern

The biggest threats to a dealership's data aren't Russian hackers breaking
through electronic firewalls or robots trying a thousand passwords on
security codes until they finally crack into the system.

It's more likely the mundane stuff that will cause a breach that enables
personal consumer data to slip out of the store, said Brad Miller, director
of legal and regulatory affairs for the National Automobile Dealers
Association.

Watch out, he said, for laptops that may contain sensitive files being
stolen out of cars. A thumb drive that contains code capable of capturing
passwords or data can be plugged into the laptop.

Also, software vendors long ago dropped by a dealership may retain active
pass codes that enable data to be taken from the dealership, unbeknownst to
store employees, Miller said. Or pirates may send dealership employees a
"phishing" email hoping to fool one into giving out information or a
password that opens the system to the thieves.

"Most of what happens is low-tech," Miller said.

In fact, hackers' theft of Target customers' credit card information in
2013 was traced to a heating, ventilation and air-conditioning contractor.

The contractor had access credentials to Target's network, which the
hackers stole and used to get into Target's computer system.

Miller said it is incumbent upon dealerships to ensure they have processes
and policies in place to know who has access to their data and what the
information is being used for.

Moreover, employees have to be constantly trained, especially in light of
turnover at stores, on how to safeguard those data, he said.

Regulators consider dealerships to be financial institutions because of the
magnitude of sensitive consumer personal information and transactional data
collected in the F&I department, he said. That's a high bar requiring
vigilance.

Dealerships are advised to create an emergency response plan in the event
of a breach, said attorney Kristen Mathews, head of the privacy and data
security practice at Proskauer Rose law firm in New York.

"Have a first-incidence-response team. Have a written incidence-response
plan that articulates how a company is going to respond," she said at the
American Financial Services Association conference held in January in San
Francisco just before the NADA convention.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: