198 million people who were looking for a new car just had their PII data stolen by hackers. The breached database belonged to DealerLeads, an online company that focuses on helping people find their next car.
DealerLeads owns hundreds of different websites, each key-worded to precisely match a customer's search engine query. They've been in business for about 20 years and they've been very, very successful according to their website (https://dealerleads.com/).
The breach was discovered by Jeremiah Fowler, a senior security researcher at Security Discovery. In a recent interview with Forbes (which you can read here: https://www.forbes.com/sites/daveywinder/2019/09/15/bought-a-car-recently-198m-car-buyer-records-exposed-in-massive-data-leak/#511981b77391) that he saw the 413GB dataset over and over recently, finally peaking his interests to investigate.
What was leaked?
Oh, golly. Lots and lots.
Names, email addresses, street addresses, phone numbers. You name it. They even nabbed IP addresses. Fowler said he first notified the company on August 19th of this year. After a few days of waiting for a reply, he reached out again by phone.
Fowler said DealerLeads were quick to protect the database with a password after they had been notified but it was too late. The damage had been done.
What's going to happen?
Not sure. That's still up in the air. DealerLeads still hasn't made a public announcement regarding the breach or, from what I've been able to find, made any sort of outreach to affected customers (both personal or dealerships).
The Forbes article is worth reading. Here's the link again: https://www.forbes.com/sites/daveywinder/2019/09/15/bought-a-car-recently-198m-car-buyer-records-exposed-in-massive-data-leak/#511981b77391.
I'd love to say this kind of breach isn't common, but it is. What's worse is it's not even really a breach. The database was left wide open and presented its information willingly to anyone with the knowledge or wherewith-all to look for it.
Most of these breaches are caused by either lax security policies or no security policies at all. Companies seem to either totally ignore basic principles or willingly assume the massive risk associated with a breach.
If you think your company might be at risk, or if you're interested in implementing a better security posture we'd suggest you check out our Security Advisory Services page and schedule a time to talk with us.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.