5.8M Customers Hit in 700Credit Dealership Data Breach
▼ Summary
– 700Credit will notify over 5.8 million people of a data breach caused by a threat actor exploiting an API via a compromised integration partner in July.
– The breach, detected internally in October, resulted in the unauthorized copying of records, including full names, addresses, dates of birth, and Social Security Numbers.
– A security vulnerability in the API, specifically a failure to validate consumer reference IDs, allowed the attacker to steal about 20% of consumer data from May to October.
– The company is offering affected individuals a free 12-month identity protection and credit monitoring service and is handling regulatory notifications on their behalf.
– 700Credit is a major provider of credit and compliance services to U.S. automotive dealers, serving over 23,000 dealer customers.
A significant data breach at financial services firm 700Credit has compromised the sensitive personal information of approximately 5.8 million individuals. The incident originated not from a direct attack on the company, but through a security failure at one of its integration partners. In July, a threat actor breached this partner and discovered an application programming interface (API) that could be used to access 700Credit’s customer data. The partner company did not alert 700Credit to the initial compromise.
700Credit itself detected suspicious activity on its own systems on October 25th, prompting an internal investigation supported by third-party forensic experts. The inquiry revealed that unauthorized copying of records from a web application had occurred. These records pertained to customers of the company’s numerous dealership clients. According to Managing Director Ken Hill, the attacker successfully exfiltrated roughly 20 percent of consumer data over a period from May until October, when 700Credit finally shut down the vulnerable API.
The core security flaw was a failure in the API’s design: it did not properly validate consumer reference IDs against the original requester. This vulnerability allowed the intruder to access and steal vast amounts of personal data. The types of exposed information are particularly sensitive, including individuals’ full names, physical addresses, dates of birth, and Social Security Numbers (SSN).
As a major provider of credit reporting and identity verification services to over 23,000 automotive, RV, and marine dealerships across the United States, this breach has wide-reaching implications. In response, 700Credit has taken steps to manage the regulatory fallout. The company filed a breach notification with the Federal Trade Commission (FTC) both for itself and a consolidated notice on behalf of all its affected dealer clients. This means impacted dealership customers do not need to file their own separate notices with the FTC or state attorneys general.
700Credit has also alerted the National Automobile Dealers Association (NADA) to raise awareness within the industry. For the millions of affected consumers, the company is offering a 12-month complimentary identity protection and credit monitoring service through TransUnion, with a 90-day window to enroll. Individuals receiving a breach notification are strongly advised to vigilantly monitor their financial accounts and consider placing a security freeze on their credit reports to prevent fraud.
While the company has established a dedicated webpage with general details about the incident, no ransomware group has yet claimed responsibility for the attack. The event underscores the critical risks associated with third-party integrations and API security in the financial data ecosystem.
(Source: Bleeping Computer)
