THE CEO of the Australian Automotive Dealer Association (AADA) has warned Australian dealers that the nature of vehicle retailing makes car retailers a magnet for cyber attacks.
James Voortman was addressing the recent Pentana Live Innovation Accelerated online seminar in which he cited an example of a large British dealer group with 200 branches that was hit in a cyber attack that cost it a reputed $60 million.
He said another large UK dealer group with more than 25 locations turning over 450 million pounds was subject to a ransom attack that left some of its core systems damaged beyond repair.
“There was recently an example here in Australia of a customer falling victim to a phishing attack and being swindled out of more than $100,000 in trying to purchase a vehicle,” he said.
He added that the average cost of recovering from a data breach in the US was $4.5 million.
Dealers are a target
Mr Voortman said that cyber criminals are attracted to places where large amounts of data and money are transacted. He said that there is also a perception of vulnerabilities within dealerships.
He said that car dealerships “are high-value targets”.
“Dealers hold a wealth of data and a wealth of information in our databases about everything from customer identities, to vehicle identities, to transactions, banking, finance; you name it.
“And often that data is held for an extended period of time. Whether it’s across the term of a loan or across the term of a service contract; it doesn’t matter. The point is, we have lots of information about lots of sensitive things and we are keeping it for a long time. So we are obviously attractive to hackers.
“The other thing that makes us attractive is that we have a lot of this data being transmitted to our third party connections. Those third party connections are our financiers, insurers and the service providers that bolt on to our IT systems. Importantly, there is also the information we sent to and from our OEM franchisors.
“So this is something that is a potential vulnerability for us – this flow of information. It’s also important to know that what makes us different from many other businesses is that we process large payments with consumers.
“Dealers turn over almost $60 billion a year here in Australia, an extraordinary amount of money. And if you think about those transactions they are often deposits on motor vehicles; so there are large payments or, even more scary, customers who are still paying cash and sending the payment for those vehicles via bank transfer.
“Our adversaries probably see us as small, private, largely family businesses who might be more inclined to fix cars and sell cars, rather than invest in cybersecurity. I don’t think that’s fair, because I think a lot of our members have made great strides in investing in protecting themselves in a cyber sense, but that perception is still there, and comes against us when adversaries are deciding who to attack.
“Another factor to consider is our OEMs and our partners. Our business partners and our franchisors also expected anything shared with them on a commercial and private basis to be kept and used securely for the purposes for which it was collected.
“Our OEMs in particular simply will not allow their brands to be represented by dealers who do not take cybersecurity seriously. To fall victim to attack is really compromising that relationship and putting into question whether there will in fact be a relationship with some brands,” Mr Voortman said.
“Another thing is disruption and reputation as cyber attacks can severely disrupt the operations of a dealership. (To find) core systems left damaged beyond repair is the kind of stuff dealers would really want to avoid; not being able to access one’s systems for a prolonged period of time can have a devastating effect.
“And the costs of remediating a cyber breach are astronomical. In fact, the average data breach in the US I am told is around $4.5 million to remediate. So there is a clear disruptive element to this.
Loss of reputation
“Disruption and reputation are some of the reasons you really need to take this seriously.”
He said breaches at Optus, Medibank, Latitude and HWL Ebsworth show that “nobody is safe – even those you would expect to have the most robust cyber defenses”.
“That shows that even very sophisticated businesses can be caught up in these attacks. And I can bet you that for every one of the Optus’s out there, there are many, many smaller privately-owned businesses that get caught up in cyberattacks.
Mr Voortman said that “businesses that failed in the cyber task” would have “a serious effect on their reputation and ability to retain customers”. He cited a survey from earlier this year in which Roy Morgan named Optus as the most distrusted brand in Australia.
“So it does have an effect on your reputation and your ability to retain customers.”
Mr Voortman said there are great risks around keeping ID information indefinitely.
“We find from some of these attacks, that the information such as passports, such as driver’s licences were kept on record long after the identification verification process had been completed. And this just exacerbates the risk to customers through things like identity fraud.”
He said that it is vital that someone is doing a routine study of what data is being held and what data needs to be deleted.
Feds take hard line
Mr Voortman said the federal government had found that the regulatory regime was not fit for purpose and a new cyber strategy was being redeveloped.
The government is very focused on cyber to the extent that it “is seen as a national security issue” and it wants to “use every lever of national power to help keep us citizens and businesses safe”.
But the strong message from Canberra is that the government is “clearly looking at those businesses who don’t comply” and is “going to be watching you closely”.
“We saw this with new laws and penalties that have been introduced recently.
“If you go back 12 months, the maximum penalty in Australia for breach of the Privacy Act was $2.2 million.
“We now have significantly increased fines for a serious or repeated breach of the Privacy Act where businesses can now be liable for one of the following three: $50 million, or three times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover during the breach turnover period.
“These could cripple businesses, especially the turnover one because we all know that dealers turn over massive amounts of money which have no relation to their profits.
“So, clearly, there are vulnerabilities for us.”
Consumer consent to hold data
“We also know that further changes to the Privacy Act are coming. The government has already flagged that it will be requiring entities to seek informed consent about the handling of personal information. So you’re going to have to be addressing this with your customers.
“There’s also a change that’s been flagged, which will make businesses accountable for handling information and destroying data that is no longer needed. There’s also been the removal of the Small Business exemption, although that doesn’t really apply to dealerships, because it was restricted to businesses turning over less than $3 million.
“But it just shows you how seriously the government is taking this and everyone is being asked to fulfill their obligations. I expect that there will be more changes which will put consumers at the front of this, that force us to try and work for our consumers in this regard.
“I also believe that the consumer data law that applies only to the banking and energy sectors will be extended to our industry and other industries. That is because the government wants consumers to be able to move their data where they want to; and that’s coming.”
Mr Voortman said it was essential for dealers to have a crisis plan in place
Dealers need to study examples that have happened before to be in a position to respond when a cyber attack happens and that it is not an if but a when issue, he said..
“Have that plan in place so you know what to do, you know your reporting obligations, you know what to do in case you’re offered a ransom, you know what to do when the media start calling; have that plan in before the fact rather than after the fact.
“And then we need to develop a culture of cyber awareness amongst all staff.
“I often get dealers telling me, can you just send us a one pager with things we need to do to protect ourselves from cyber crime?.
“It’s not that simple. Cyber criminals adapt to conditions. It’s an evolving threat which is always adapting. And we need employees that can constantly respond and constantly up-skill themselves in this area.
“As you know, in dealerships, there are so many people touching so many areas around customer data on transactions; it needs to almost be a KPI on almost everyone’s job description.”