700Credit is working aggressively to rectify the data breach that exposed the names, addresses, and Social Security numbers of 5.6 million consumers, aiming to help ease the brand and operational blow to dealers.
First things first: In July, one of 700Credit’s 200+ integration partners was breached, allowing attackers to hammer a 700Credit API with millions of requests around Oct. 25 and access applications submitted between May 25 and Oct. 25.
The compromised partner used a 700Credit API that, given a consumer reference ID, could pull consumers’ names, addresses, and Social Security numbers.
The API had a design flaw in that it returned data for any valid consumer reference ID without checking that the ID belonged to the requesting account.
Using the partner’s compromised environment, the attackers sent millions of automated requests to the API, detailing consumer IDs.
What they’re saying: “[Attackers] never got access to our production systems,” said 700Credit’s managing director, Ken Hill on a recent webinar hosted by ComplyAuto. “They never installed any software. This isn't ransomware.”
Why it matters: Even if 700Credit’s production systems weren’t hit, dealers now face angry and anxious buyers, potential reputational damage, extra time and cost handling disclosures and questions, and heightened scrutiny from regulators and OEMs around how they vet and monitor vendors.
OUTSMART THE CAR MARKET IN 5 MINUTES A WEEK
Get insights trusted by 55,000+ car dealers. Free, fast, and built for automotive leaders.
Moving forward: Hill spent considerable time during the webinar to address these issues specifically, while also highlighting what 700Credit is doing to address the breach and what dealers and customers need to know—also noting there is no indication that any dealer systems or dealer-facing interfaces were compromised by the hackers.
Affected dealers have been sent a letter notifying them of the breach, with the letter including a copy of the consumer notice 700Credit intends to send.
Consumer notices have been branded with 700Credit’s name and phone number, not the dealers’—to help protect the affected stores’ brand reputations.
700Credit has worked with NADA and the Federal Trade Commission (FTC) so 700Credit can file one consolidated notice that lists all affected dealers over the threshold, instead of each dealer filing separately.
The compliance tech provider (which has also notified the FBI and the appropriate state offices) has set up a helpline for dealers (866) 273-0345 and another one for consumers (833) 586-1820.
Hill, who encourages customers and dealers to call the numbers provided if they have any questions, also urged dealers to notify their cyber insurance carrier as soon as possible, because timing is important when filing a claim.
Bottom line: Dealers should treat this as both a customer-care moment and a compliance fire drill—leaning on 700Credit’s branded notifications and helplines to protect your store’s reputation, proactively briefing sales and F&I teams on how to answer consumer questions, and tightening vendor-risk and data-security reviews across the board.
A quick word from our partner
Identity Fraud is hurting auto dealers.
Experian Automotive found that nearly 90% of dealers are concerned about rising fraud, with 75% reporting a measurable impact on their operations. In the past year, 85% have suspected or confirmed fraud cases, primarily due to income fabrication and forged documents.
The fix? Experian Automotive's Fraud Protect.
Fraud Protect quickly and easily validates customer identities and documents with zero disruption to your sales flow or the consumer journey.
