A data breach at a company that offers credit reports, identity verification, and other services for about 18,000 auto dealerships and similar businesses in the United States exposed the personal information of at least 5.6 million people.

According to executives with 700Credit, hackers earlier this year compromised the network of one of the company’s partners and used the information gleaned from that breach to attack 700Credit’s systems. Among the personal information stolen from customers of the Southfield, Michigan-based company’s clients were names, addresses, Social Security numbers, and dates of birth, according to the company.

The unnamed partner company was compromised during the summer, and 700Credit in October discovered that the unidentified threat actors had stolen personal data collected by its dealers.

According to 700Credit Managing Director Ken Hill, the company – which also serves RV, powersports, and marine dealerships – has more than 200 integration partners that it communicates with via APIs. The partner that was compromised earlier this year didn’t notify 700Credit about its data breach.

That firm’s “systems were compromised and taken over and the threat actors got hold of their communication logs to us,” Hill said during an interview with CBTNews. “It exposed an API that our partner used to pull down consumer information because they didn’t want to store it on their system. It exposed the vulnerability that we had. We weren’t validating the consumer reference site we used to the original requester.”

He said that during the attack, the bad actors were “pinging us, pinging us millions and millions of times. We shut it down. They continued to attack us for probably more than two weeks. We had shut down the API that was the exposure. They got about 20% of our data from May to October.”

‘Kind of Spooky’ Note from Hackers

That said, forensic teams brought in by 700Credit found that the attackers hadn’t penetrated the company’s systems, but that the breach was in its application layer. After finally shutting down the attack, Hill said the cybercriminals sent them a note, which “was kind of spooky.”

In a statement, 700Credit said it had notified the FBI and Federal Trade Commission (FTC) about the data breach and was also getting in touch with state attorneys general around the country. The company is also taking the lead in notifying and helping the customers, starting December 22, of its dealers, including offering them one year of credit monitoring services through TransUnion, it said in a planned letter to affected customers filed with the state of Maine.

700Credit is also working with the National Automobile Dealers Association. (NADA).

Don’t Ignore a 700Credit Letter

In an advisory, Michigan Attorney General Dana Nessel warned victims that “if you get a letter from 700Credit, don’t ignore it. It is important that anyone affected by this data breach takes steps as soon as possible to protect their information. A credit freeze or monitoring services can go a long way in preventing fraud.”

Nessel also advised people to be on the lookout for phishing emails, to harden or change passwords, get rid of unnecessary data or files, and to use multifactor authentication on devices and accounts. She also said they should review their credit report often, not only with TransUnion but also Equifax and Experian.

Hill said that in the course of the investigation into the breach and notifying clients, he said some of the major dealerships had decent cybersecurity infrastructure in place, including frameworks, monitoring, and red teams that attack their own companies’ defense to test their strength.

The worry is with mid-level and smaller companies that might not have the budget or people to put some protections in place, he added. He urged dealerships to educate themselves about the threats and how to defend against them, and to survey what security capabilities their partners have in place.

Communication in the Supply Chain is Key

He criticized the partner whose compromise led to the attack on 700Credit, saying the intrusion “could’ve been avoided if we’d been notified because we could’ve shut it down.”

Hill said the company last year increased its cybersecurity insurance, noting that “if we hadn’t, we’d be in a lot of trouble.” He said 700Credit had a plan in place to handle a situation like the data breach, but that he and other executives didn’t understand the obstacles when such an attack takes place, including inaccurate communications by others inside and outside of the industry meant to cause panic.

“We didn’t plan for that,” he said, adding that lawsuits already are being filed by customers harmed by the attack even before the company has sent out notices to affected individuals. “Our whole organization is replying to those types of questions that dealers have and concerns that dealers have.”

Law firms that handle class action lawsuits, such as Edelson Lechtzin LLP, are investigating data privacy claims resulting from the data breach and urging those affected to contact them.