Car shoppers' credit details exposed in bulk

At least 1,000 automobile shoppers who submitted online credit applications to any of 150 different automotive dealerships around the U.S. had their personal and financial details exposed on a publicly-accessible website, according to a computer security consultant who stumbled across the privacy gaffe.

The exposed site was an administrative page at the Tennessee-based hosting company Dealerskins, a firm that provides turnkey Web solutions to automotive dealerships. The page -- which was not password protected and included no warnings that it was private -- allowed visitors to view, in reverse-chronological order, all of the information that had been typed into Web forms on Dealerskins-hosted sites, like autocentersdirect.com and courtesyflm.com.

The URL for the unprotected page could be determined by visiting a Dealerskins-hosted website and viewing the HTML source code -- a simple matter in most browsers.

After being contacted by the security consultant, who spoke on condition of anonymity, SecurityFocus verified that the page was accessible and appeared to be what the consultant described, then contacted Dealerskins on Tuesday. Dealerskins immediately shut the page down. But company officials claimed their response was so quick that they didn't have time to confirm to their satisfaction that the page was ever publicly accessible to begin with. "Frankly, taking even 30 seconds to figure out what was going on is more than we want to risk," said company president Gabriel Krajicek.

Consequently, the company wouldn't comment on how many records had been at risk, whether anyone prior to the computer security consultant had accessed them, or for how long the data was left exposed on the Internet. On Wednesday, the URL produced a page asking for a username and password.

Victims Shocked, Cynical

Before it was secured, a menu on the exposed page included a dozen categories of forms, like "Employment Form," and "Body Shop Contact." But the most sensitive was the "Finance Form," which cabined online credit applications that would-be car buyers had filled out at the websites of local dealerships across the country.

A sample of ten recent applications provided by the computer security consultant included names, addresses, phone numbers, social security numbers, occupations, employers, previous employers, personal references, bank account descriptions, income, length of residency, rental or mortgage payments, duration of employment, and level of education.

Victims of the data spill had differing reactions.

"It crossed my mind that maybe I shouldn't put information in there, but not for a reason like that; I hadn't thought that they would broadcast it," said Misty Woods, a 20-year-old manager at the Oakwood, Ill., McDonalds, who last week applied for financing from her local Ford dealer. Woods said her familiarity with the dealer made her more comfortable applying over the Internet than she would be with other websites. "I'm familiar with Courtesy Ford, so I figured that it was legit."

Hank Clow, the Internet manager at Courtesy Ford, in Danville, Ill., said on Wednesday that the dealership hadn't been notified of any data exposure by Dealerskins, and therefore could not comment.

California bookkeeper Patricia Carr said she expressly selected a particular Honda dealership last weekend because of their Web services. "I knew somebody that actually bought a vehicle at Rock Honda," she said. "What I remember him telling me is, 'This is great, you can apply for it over the Internet and get a quote back, and it made it easy.'"

"I'm in shock," added Carr.

Rock Honda in Fontana, Calif., confirmed that the dealership received Carr's application through its website, but said it was unaware of the data leak. The site was switched over to Dealerskins hosting early this month, said webmaster Rich Enos, who otherwise declined to comment.

Gina Graham, who works at a nursing home in Illinois, said she wasn't surprised that her financial information wound up on a website-- that's what you expect from the Internet, she said. "I'm not thrilled," said Graham, but "if I absolutely didn't want to take a chance of any of it getting online, why would I do it online?"

"Mistake happen, but I hope that they would contact us and tell us so," Graham added.

Under a recently-enacted California law designed to combat identity theft, companies that collect certain personal information from consumers, including social security numbers, must warn California customers if their "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." A similar national bill is under consideration in Congress.

The exposure of personal financial information could also put Dealerskins and its customers afoul of Federal Trade Commission (FTC) regulations, says Chris Hoofnagle, associate director of the Electronic Privacy Information Center. Hoofnagle points to a case earlier this year, when Guess Inc. agreed to a computer security overhaul to settle an FTC investigation into alleged deceptive trade practices, after a California programmer discovered a security hole in the fashion retailer's website that allowed access to customer credit card numbers, despite a promise in the company's privacy policy that such information was stored only in an encrypted form.

Financial Privacy Laws Implicated

Moreover, auto dealerships that do their own financing may be subject to the Gramm-Leach-Bliley Act, a federal privacy law, also enforced by the FTC, that generally requires financial institutions to take reasonable measures to safeguard customer data. "Security requirements are never absolute... [but] the storage of personal information in an unencrypted format online clearly is not a reasonable security measure," Hoofnagle said.

David Dolinar, marketing director at Auto Centers Nissan in Alton, Ill. -- which took Graham's online application for financing -- said he was "appalled" by the leak, but that his dealership launched an extensive privacy and information security program earlier this year, which should be enough to satisfy FTC regulations regardless of a vendor breach.

"I have implemented a huge Auto Centers information security program that goes with the FTC privacy rule, that secures the security and confidentiality of dealership information," says Dolinar. "We did a risk assessment with Dealerskins, and they passed our criteria... You try and cover all your bases, but we wouldn't have known that this is one."

Dolinar, too, said his dealership hadn't been notified of the breach.

The security consultant said he stumbled onto the page early this week while visiting a dealership site to make an appointment to have his car serviced. Out of habit, he examined the HTML source code of a form on the site to see if information submitted was properly secured in transit by SSL. It was.

But he noted that form submissions were sent to a "dforms" page on the site, and when he tried surfing to that page in his browser, he was dropped into what turned out to be the administrative interface to Dealerskins' dynamic form management software.

In an effort to determine how large the exposure was, the consultant said he accessed and saved 1,000 credit applications that were tagged as coming from nearly 150 different dealerships, before giving up on getting a full count. He said he retained the data to prove that it had been exposed, but he plans on deleting his copy.

He went public with the matter to ensure that consumers who were exposed on the site would be warned, and to draw attention to the generally poor state of e-commerce privacy, the consultant said. "That could have been my information."

"I think that far too many people are reassured by the fact that their information is sent encrypted over the Internet via SSL, and I see it far too commonly that companies take information that was sent encrypted, and store it in plain text on the server," said the consultant. "Sometimes it's sensitive information"

Without acknowledging that the page had been accessed, or was accessible, Dealerskins suggested that it's not the company's fault if it fell prey to a "hacker" capable of reading HTML source code. "Anyone, feasibly, given enough time and enough resources could hack into any system," said CIO Brad Hill. "We're going to be calling the FBI. Definitely."

Copyright © 2003,