Another widely used dealership system that contains personally identifiable information (PII) has been infiltrated by fraudsters, compromising consumers’ profiles and creating significant headaches for store managers and the service provider.

Separate statements from 700Credit and the National Automobile Dealers Association confirmed the provider of credit reporting and compliance solutions for the automotive industry was hacked in October, prompting a series of actions aimed at helping dealers navigate this latest technology challenge.

In its statement, the company said, “700Credit regrets to inform you that our industry was attacked again by a bad actor who had unauthorized access to some of our personally identifiable information (PII) including name, address and Social Security Number. The investigation is ongoing and most importantly there is no indication of any identity theft, fraud, or other misuse of information in relation to this event.”

“We have engaged cybersecurity experts who did not identify any impact on our internal network, and confirmed all activity is limited within the 700Dealer.com application layer,” the company continued. “We confirm there is no operational impact on our business, and we are able to continue providing services as scheduled.

“We recently mailed a detailed letter to all impacted dealers and are in the process of notifying every impacted consumer,” 700Credit added.

The incident might be triggering dealers who had to contend with the breach that impacted CDK Global during the summer of 2024.

Through its communication, NADA reiterated the Federal Trade Commission (FTC) Safeguards Rule requires financial institutions (including dealers) to provide an electronic notice to the FTC as soon as possible and no later than 30 days after discovering a notification event involving the information of at least 500 consumers.

The association pointed out a notification event is the unauthorized acquisition of unencrypted customer information.

NADA explained that questions quickly surfaced about whether the security incident recently reported by 700Credit triggers this requirement. If it does, each dealer client of 700Credit would be required to file a breach notification with the FTC and complete its data fields, including (among other entries) the types of information involved in and a summary of the notification event.

To help the situation, NADA said 700Credit filed a breach notice with the FTC on its own behalf and a consolidated breach notice with the FTC on behalf of its dealer clients.

Accordingly, NADA, in coordination with 700Credit counsel, proposed to the FTC that the FTC permit 700Credit to file a single electronic notice in this matter on behalf of all of its affected dealer clients.

In such notice, 700Credit would complete all of the required data fields based on available information, including the identity of its affected dealer clients. NADA said this would satisfy any reporting obligation the dealer may have under the FTC Safeguards Rule.

The FTC has accepted this proposal, according to NADA. Consequently, NADA said dealers have no obligation to file a breach notice with the FTC related to this matter.

NADA explained that a dealer can opt out of having 700Credit handle this matter on its behalf, in which case the dealer will have to file a breach notice if the dealer determines that a notification event has occurred.

However, NADA said that dealers are reminded that:

—The full range of FTC Safeguards Rule requirements remains in effect

—Every state has a breach notification requirement and the FTC’s acceptance of this proposal has no effect on state notification requirements.

“Therefore, it is important for dealers to consult with legal counsel to ensure they are in compliance with any applicable state breach notification requirements,” NADA said in its statement. “700Credit will communicate directly with its dealer clients related to this matter.”

“The foregoing is offered for informational purposes only and is not intended as legal advice,” NADA added. “Consult legal counsel that is familiar with applicable federal, state, and local law for specific guidance on legal requirements applicable to your operations.”

For dealers who still have questions, 700Credit established a dedicated phone line to contact the company at (866) 273-0345.

“As a matter of policy, 700Credit cannot advise dealerships as to specific legal obligations so it may be necessary to consult with your counsel,” the company said.

“We pledge to take extraordinary steps necessary to assist consumers and notify required parties on behalf of dealers,” 700Credit said. “We timely notified the FBI and the FTC and confirmed with the FTC that 700Credit’s filing on behalf of all dealers is sufficient to meet dealer obligations to notify the FTC.

“In addition, we will be notifying state AG offices on behalf of dealers. Impacted consumers will also be notified and offered credit monitoring services and assistance they may need,” 700Credit went on to say.