An Iowa software company selling data services to auto dealers has agreed to a settlement with the Federal Trade Commission after the FTC alleged the firm’s poor data security practices led to a breach exposing personal information of millions of auto dealer customers. 

The FTC approved the settlement this week with LightYear Dealer Technologies LLC, known by DealerBuilt, which has offices in Mason City and Grapevine, Texas. The FTC alleges that DealerBuilt failed to implement security measures to protect the personal information of individuals it obtained through its auto dealer clients. The FTC alleges that DealerBuilt failed to develop or implement information security policies and training for employees, and never performed vulnerability scanning, penetration testing or other measures. 

The lack of preventative measures led to a breach of DealerBuilt’s backup database in October 2016 over 10 days, when a hacker gained access to unencrypted personal information of 12.5 million consumers stored by 130 DealerBuilt customers, and downloaded information of more than 69,000 consumers, including Social Security numbers, driver’s license numbers and financial information. The data was allegedly stored in clear text without authentication protections, and was left insecure after an improperly configured storage device was connected to the company’s backup network for 18 months.

“DealerBuilt did not detect the breach until it was notified by one of its auto dealer customers, who demanded to know why its customer data was publicly available on the internet,” the FTC reported in June

Under the settlement, DealerBuilt is prohibited from collecting or maintaining personal information until it develops an information security program. DealerBuilt is also required to obtain third-party assessments of its security program every two years.  

DealerBuilt develops auto dealer management software and data processing services, which collects personal information of dealership consumers; the firm’s payroll software also collects personal information of dealership employees, including bank account information, the FTC said.