Automotive News Canada - October 2024 - 4

4
* OCTOBER 2024
Cyberattacks a warning
shot for dealerships
The auto industry has become
a target for hackers, and
retailers should waste no
time preparing a defence
By DAVID KENNEDY
T ORONTO BUREAU CHIEF
WITH RECENT SYSTEM BREACHES AT
AutoCanada Inc., and CDK Global, automotive
retailers must step up their cybersecurity
to fend off criminals who increasingly see the
industry as vulnerable.
Hackers " cast a wide net, " said Erik
Nachbahr, president
of Helion
Technologies, a U.S.
cybersecurity and IT
company that focuses
on dealerships.
" But when they get
BEST PRACTICES
SPOTLIGHT
their hooks into an industry that doesn't have
the proper safeguards, they start 'spear fishing.'
"
Publicized attacks - particularly two
breaches at dealership management
system company
CDK in June - have shown
that the industry is worth
infiltrating, said Justin
Shanken, CEO of the U.S.
cybersecurity company Black
Breach.
Nachbahr:
The weak
link in
cybersecurity
remains
staff email
habits that
let criminals
penetrate the
IT system.
PHOTO: HELION
TECHNOLOGIES
" Dealerships, in the eyes
of a bad guy, ... come across
as very lucrative targets, "
Shanken said.
Management at dealerships
is typically older and less
inclined to invest in the latest
technology, he said, therefore
retailers are particularly susceptible
to coordinated hacker
groups that treat online extortion
as a business.
For the approach known as
" ransomware as a service, "
attackers gain access to a corporate
network, steal or lock up sensitive information,
then threaten to leak or permanently
withhold the data unless a ransom is paid.
USING STAFF EMAIL TO GAIN ACCESS
Email is the Achilles' heel, accounting for
about 95 per cent of all breaches, Nachbahr
said.
" They're still trying to get in via the users -
the dealership employees - but they're trying
to get into the network . . . to actually lock out
the system, " he said.
For this reason, it's particularly important
to watch accounts with administrative privileges
that can access all files and make configuration
changes to the network, Nachbahr said.
It's a relatively simple best practice to keep an
up-to-date list of admin accounts and regularly
purge those that are inactive, he said.
Monitoring is a more intensive step but also
key to stopping breaches.
If an account user regularly logs on in
Toronto, for instance, the same user popping
up in Beijing an hour later should be cause for
alarm, Nachbahr said.
" That's impossible and should throw up a
huge flag. "
Other threats can be far more insidious.
Catching attackers who have broken into
the system and are working toward gaining
admin privilege - a process those in the
cybersecurity industry call lateral movement
- often takes a greater level of scrutiny,
Shanken said. With internal IT teams typically
unequipped to pick up on such activity, this
usually means engaging an outside partner,
he said.
GETTY IMAGES
GETTING OUTSIDE HELP TO PREVENT BREACHES
Along with active monitoring for threats,
cybersecurity companies also typically run penetration
tests, during which friendly hackers
try to breach a company's system to identify
and then shore up weaknesses, Shanken said.
Canadian dealers have been taking such
steps to bolster their cybersecurity protections
for years, said Huw Williams, public affairs
director for the Canadian Automobile Dealers
Association, which represents more than 3,000
retailers.
Most dealers are already " well ahead " of
other retail businesses in Canada on cybersecurity,
he said, but the recent CDK breach has
only pushed network security further up priority
lists.
" If a player like CDK can go through what
they went through on a cybersecurity level, "
Williams said, " then you've got to really redouble
your efforts for not just the cyber protection
but just the awareness of the employees for all
of the attempts that get made to compromise
your system. " - ANC
SECURITY REGULATIONS
Over the past two years, dealerships in the
United States have been required to improve
cybersecurity protocols in response to the
Federal Trade Commission's Safeguards Rule
designed to protect sensitive consumer data.
Among other steps, businesses must maintain
an information security program, keep a log
of who accesses customer information and
report any breaches that affect more than 500
customers.
While Canadian dealers don't face regulations
that are " exactly equivalent, " the federal
Personal Information Protection and Electronic
Documents Act (PIPEDA) puts similar safeguards
in place, said Huw Williams, public
affairs director for the Canadian Automobile
Dealers Association.
PIPEDA requires dealerships to maintain a
" security policy " that relies on up-to-date technological
tools such as encryption and organizational
controls to limit access. The act also
requires dealers to review their policies for
vulnerabilities through regular audits and conduct
staff training on security protocols.
Provincial privacy regulations in Quebec,
Alberta and British Columbia layer on their
own set of consumer-protection requirements,
Williams said.
Ransomware outfit claims to
have stolen financial, employee,
sales data from AutoCanada
Allegation follows IT
breach from August;
dealership group
hasn't confirmed it's
being held for ransom
By DAVID KENNEDY
T ORONTO BUREAU CHIEF
A CYBER GANG SAID IT STOLE A
large amount of financial, employee
and sales data from publicly traded
dealership group AutoCanada.
The Sept. 17 notice and ransom
demand on the dark web follows an
IT breach AutoCanada first reported
on Aug. 11.
Cybercrime group Hunters
International gave a Sept. 20 deadline
to pay the ransom, according
to cybersecurity company
HackManac, one of several darkweb
monitoring organizations that
flagged the threat.
AutoCanada owns 65 new-vehicle
franchises in Canada and 18 in the
United States. The group did not
confirm the ransom request.
" We are working with law
enforcement authorities to address
the incident, " said Peter Hong,
AutoCanada's chief strategy officer
and general counsel, in a Sept. 23
email to Automotive News Canada.
" We are not able to provide any further
comments at this time, other
than what we previously publicly
disclosed. "
The company did not respond
by deadline to a request for further
comment.
Hunters International focuses
on cyberattacks to steal or lock
corporate data, then demands victims
pay ransoms to regain access
to the information or keep it from
being leaked, said HackManac
CEO Sofia Scozzari in an email to
Automotive News Canada. Hunters
International has targeted more
than 150 companies in 32 countries
in 2024, she said.
To extract ransoms, Scozzari
said, Hunters International publicizes
victims on the dark web,
where tracing the hackers is nearly
impossible.
IMMEDIATE ACTION AFTER BREACH
AutoCanada said in August that
after discovering the breach, it took
immediate action to safeguard its
network and data, engaging cybersecurity
experts to " assist us with
containment and remediation
efforts, as well as to conduct a thorough
investigation to understand
the scope and impact of the incident. "
Whether
customer, supplier and
employee data were compromised
was not known, the company said
at the time.
The breach was unrelated to the
two cyberattacks in June on dealership
management system company
CDK Global, said AutoCanada
Executive Chairman Paul Antony
on Aug. 14.
The CDK outage impacted thousands
of franchised retailers in
North America, including some
belonging to AutoCanada.
Ransoms for successful cyberattacks
can run into the millions
Hunters International focuses
on cyberattacks to steal or lock
corporate data. On Sept. 17, it
publicized on the dark web that it
was extorting AutoCanada, which
owns 65 new-vehicle franchises
in Canada and 18 in the United
States. PHOTO: AUTOCANADA
of dollars but are heavily dependent
on the circumstances and presumed
value of the data, said Erik
Nachbahr, president of Helion
Technologies, a U.S. cybersecurity
and IT company that focuses on
auto dealerships.
CDK reportedly paid a ransom of
US $25 million (Cdn $36 million) to
hacking group BlackSuit to restore
its system.
Attackers typically make ransoms
" attractive enough " that companies
opt to pay them to get their
systems back online as quickly as
possible, Nachbahr said.
PAYING TO MAKE HACKERS GO AWAY
Groups such as Hunters
International hold up their end
of the deal, he added, proving to
future victims that paying the ransom
means resolution.
" There's no incentive for [attackers]
to not restore the system. They
want to get the
money and they
want people to
have faith that
they're going to
restore the system. "
Shanken:
When
hackers
" find
an industry
that pays
out, like
dealerships,
they
abuse that
industry. "
PHOTO:
BLACK BREACH
The approach,
known as ransomware-as-a-service,
is
on the rise, said
Justin Shanken,
CEO of Black
Breach, an Atlanta
cybersecurity
company.
" Most of these
attackers and
attack groups,
like the Hunters
attack group, they
are working as a
professional business, as a fighting
force that's hitting industries. "
Auto retail has become a target
of choice for cybercriminals,
Shanken said, partly because it's
perceived as a relatively easy target
with businesses that are slow to
invest in technology.
" They're looking for very soft
... targets that they're hitting over
and over again. When they find an
industry that pays out, like dealerships,
they abuse that industry. "
The CDK Global cyberattack
drew international headlines and
painted a bigger target on the
industry's back, Shanken said.
" Bad guys follow the news, " so as
they watched the fallout, they saw
further opportunities, he said.
- ANC
Automotive News Canada - October 2024

Table of Contents for the Digital Edition of Automotive News Canada - October 2024
