MenuMENU
SearchSEARCH

FTC: DealerBuilt Hack Affected 130 Dealerships

A 2016 cyberattack laid bare the personally identifiable information of about 12.5 million customers of 130 U.S. dealerships, according to a Federal Trade Commission bulletin announcing a consent agreement with dealer software provider DealerBuilt.

Tariq Kamal
Tariq KamalFormer Associate Publisher
Read Tariq's Posts
June 13, 2019
FTC: DealerBuilt Hack Affected 130 Dealerships

In 2016, a hacker accessed the personal data of about 12.5 million U.S. dealership customers and posted more than 69,000 of those records online over a 10-day period. The breach would be traced to a cybersecurity lapse blamed on dealer software provider DealerBuilt.

Credit:

Photo by Génesis Gabriella via Pixabay

2 min to read

WASHINGTON — The Federal Trade Commission announced it has reached a consent agreement with LightYear Dealer Technologies, better known to the U.S. auto retail industry as DealerBuilt. The action is related to a 2016 incident in which a hacker accessed the records of about 12.5 million customers who had done business with 130 DealerBuilt dealerships nationwide.

“The firm’s poor data security practices led to a breach that exposed the personal information of millions of consumers,” the FTC’s statement reads, in part, noting the company “failed to implement readily available and low-cost measures to protect personal information it obtained from its auto dealer clients.”

The hacker posted a 69,283-customer sampling online over a 10-day period. The breach was initially discovered by one of the affected customers, spurring investigations at the federal and state levels. FTC officials said personally identifiable information such as names, dates of birth, Social Security numbers, and bank accounts was “stored and transmitted in clear text, without any access controls or authentication protections.”

The breach was eventually traced back to a DealerBuilt employee who connected an unsecured external storage device to the company’s backup network and left it there for 18 months. “The company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the vulnerability,” according to FTC officials.

The consent agreement precludes DealerBuilt from transmitting or storing personal information until “reasonable data access controls” that meet the standards of the Gramm-Leach-Bliley Act’s Safeguards Rule are confirmed to be in place. Any violation of the agreement could result in severe financial penalties.

DealerBuilt CEO Michael Trasatti told Automotive News the company acted quickly when the breach was discovered three years ago and has been attacking potential vulnerabilities ever since.

“We take securing customer data seriously,” Trasatti said. “We work to continuously improve our security.”

To read the FTC’s statement in its entirety, click here.

Topics:Michael TrasatticybersecurityDealerBuiltdata breachFTCcomplianceDealer OpsAuto FinanceComplianceCompliance

More Compliance

ComplianceNovember 26, 2025

Turnover and Compliance

Why ongoing training is a necessity

Read More →
F&INovember 10, 2025

Singing a Gospel Song Backward

Crime and punishment in auto retail and how to avoid them

Read More →
ComplianceSeptember 26, 2025

The Best Thing a Dealer Can Do to Avoid Legal Problems

Citing the issue is a strategy borrowed from the legal field itself.

Read More →
Ad Loading...
ComplianceSeptember 15, 2025

Fines of the Times

Civil penalties for noncompliance with federal auto retail and finance rules and regulations can add up quickly. Use this checklist to cover your bases.

Read More →
ComplianceAugust 26, 2025

Goodwill and Car Dealers

A dealer goodwill tale is a cautionary tale worth paying attention to.

Read More →
ComplianceAugust 11, 2025

Your Synthetic ID Theft Policy

Frankenstein’s monster is coming for your dealership. Use this guide to recognize synthetic ID thieves and maintain Red Flags Rule compliance.

Read More →
Ad Loading...
ComplianceJune 30, 2025

The Regulatory Empire Is Striking Back

President Trump - entropist and corporate disruptor in consumer law

Read More →
IndustryJune 26, 2025

How to Clear a Red Flag

Refine and enforce your dealership’s FTC-mandated ID theft-prevention program to ensure no transaction goes awry.

Read More →
Computer screen showing the Audit F&I Review Dashboard, displaying dealership selection and manager scorecard options for ABC Dealership.
F&Iby Press ReleaseJune 18, 2025

Mosaic Adds Continuous Monitoring With AuditF&I

New AuditF&I platform is designed to give dealerships a smarter way to stay compliant.

Read More →
Ad Loading...
IndustryMay 28, 2025

Mount Rushmore and Tariffs

A return to autarky? Are tariffs good policy?

Read More →
View All