700Credit, a U.S. financial services and fintech company, said it will notify more than 5.8 million people that personal information was exposed after a data breach affecting customers of vehicle dealerships.
Investigators traced the incident to a July breach of one of 700Credit’s integration partners, which exposed an API that could return customer information; the partner did not inform 700Credit. The company detected suspicious activity on Oct. 25 and engaged third-party forensic specialists. The investigation found that certain records in the web application relating to customers of its dealership clients were copied without authorization, the company said in the notification to affected individuals.
700Credit’s managing director, Ken Hill, said the attacker exfiltrated roughly 20% of consumer data from May through October before the company terminated the exposed API. The company attributed the access to a security vulnerability in the API – a failure to validate consumer reference IDs against the original requester.
The information exposed includes full name, physical address, date of birth and Social Security numbers. 700Credit provides credit reporting, identity verification and fraud and compliance services to more than 23,000 automotive, RV, powersports and marine dealers in the United States.
The company filed notifications with the Federal Trade Commission on its own behalf and on behalf of affected dealer clients and said it will submit required notices so customers do not have to file. 700Credit also informed the National Automobile Dealers Association (NADA) and posted general details on a dedicated page on its website. It is offering 12 months of identity protection and credit monitoring through TransUnion with a 90-day enrollment window and advised recipients to monitor accounts and consider a security freeze.
No ransomware group has claimed responsibility and the identity or motive of the attacker has not been disclosed.