Report Claims More Than Eight Million Records Offered for Sale on Dark Web
A recent online report alleges that 700Credit, a provider of credit-related services, has suffered a significant data breach potentially affecting more than eight million customer records. The breach reportedly occurred in late October.
700Credit has not publicly confirmed the breach or provided any statement regarding these allegations; however, at least one class action lawsuit has already been filed in connection with this incident. Furthermore, we have become aware of communications from 700Credit to dealers describing the incident and purportedly taking steps to notify affected consumers.
If you are a dealer who uses 700Credit services, many of the same legal and practical considerations apply here as with the widely-reported CDK breach in 2024. This includes notice requirements, and other steps, such as notifying your insurance carrier and contacting your legal counsel. However, there are important differences as well – those are discussed below.
Details of the Alleged Breach
According to the online report, threat actors have posted the stolen data for sale on dark web marketplaces after negotiations with the company allegedly broke down. The dark web listing allegedly includes a sample of 100 records that appear to contain sensitive consumer identity and verification information. The exposed data fields shown in the sample reportedly include: full names; Social Security numbers; dates of birth; residential addresses; and employment information (in some records).
Guidance for Dealers
If you use 700Credit, the first step is to seek information from 700Credit by contacting your 700Credit representative – and to do so quickly. You need to determine whether any of your customers were affected by the incident. Dealers should specifically ask whether your customer data was exposed and if so: (a) how many of your customer records in total; (b) which specific individuals (those will be the individuals you may need to notify); and (c) the state of residency of each individual (how many from each state, if applicable). You should also obtain details about 700Credit’s plan to notify affected consumers, regulatory agencies, and/or credit reporting agencies, whether the notice will be provided on your behalf (in your name) or not, the timeline for official notifications, and whether 700Credit is planning to address the notice in a timely and adequate manner under all state and federal laws.
Time is of the essence because you want to notify consumers in time for them to stop the potential problems. In most cases, under both state and federal law, the obligation to notify consumers must be met quickly. It varies, but the notice obligations are generally stated as something to the effect of “as soon as possible and no later than 30 days from the incident.”
Second, ensure that the contract amendments required under state privacy law and the FTC Safeguards Rule, with 700Credit (and all other vendors) are signed and up to date. ComplyAuto can help you with that process. We work with all dealer vendors and help you ensure that you have signed agreements with all vendors, including 700Credit if needed. See more details on that below.
Are You Responsible for Notifying Consumers and Regulators?
It is important to note that even if 700Credit is notifying consumers and/or regulators and taking other steps to rectify the situation, that may not satisfy all of your notice or other obligations to your customers under your state (or federal) law.
Remember that the basic “rules” are that dealers are generally responsible for breaches or security events involving their customer data, even when the incident occurs at a dealership service provider. That means that dealers are ultimately potentially responsible for ensuring adequate notice is sent to affected consumers, state AGs, credit reporting agencies, and/or the FTC. See the detailed guidance at the links above for more details.
NOTE: The notice obligations vary under state and federal law. There is no guarantee that any customer notice will be sufficient under your state law or federal law. Therefore, while dealers should certainly confirm that 700Credit will be notifying your affected customers, unfortunately, that may not end the inquiry.
ComplyAuto Data Breach Wizard
As a reminder, ComplyAuto customers have access to a Data Breach Wizard within the ComplyAuto software that will walk you through the complicated questions you need to answer about:
- The scope of the incident – how many of your customers were affected
- Whether you must notify affected customers
- Whether you are required to provide credit monitoring services to affected customers
- Potential state Attorney General notification requirements
- Consumer reporting agency notification obligations
- Potential Federal Trade Commission notification requirements
This tool can help you navigate the complex web of notification requirements and ensure compliance with applicable state and federal laws. It will even provide a sample notice letter if needed.
This Incident Differs in Some Ways From Other Recent Vendor Breaches
While the general considerations and requirements regarding breach notice are similar to those in the 2024 CDK incident, this incident is different from CDK in several ways.
First, even if your customer’s information was among the affected data, at this point, it is not clear what the extent of the customer information involved is, or even if it involves customer information provided to 700Credit by your dealership. With your DMS, the data involved came from your dealership, and you had an idea of the scope of data involved. Here, the customer information provided to 700Credit could have come from your system, but even if an individual is your “customer,” it could have come to 700Credit from a motor vehicle finance company, or other third party vendor, or even from a credit inquiry at another dealer.
Even if you find that your customers are among the affected individuals, it may be unclear whose obligation it ultimately is to provide the required notices. You may need to determine whether you will notify your customers (or state or federal regulators) even if it may be unclear that the data at 700Credit came from your dealership. The potential customer relations issues may outweigh the strict legal analysis.
Second, the exact nature of your relationship (if any) with 700Credit may not be as straightforward as your service provider relationship with your DMS provider. Your dealership may have a direct contractual, service provider relationship with 700Credit – and if so, you must confirm that you have the requisite service provider contract amendments required under both federal and state law. However, you need to understand whether you have access to, or utilize 700Credit’s services through another service provider or third party so that you can ensure that your required data safeguards and risk assessment documentation covers 700Credit – either directly (they are a party) or indirectly through that other service provider or third party.
In other words, even if you don’t have a contract with 700Credit directly, you might use their services (and share data with them) through another service provider relationship (Service Provider “X”). You should take steps to ensure that you have the requisite service provider contract amendments required under both federal and state law with Service Provider X, and that those agreements cover the functions of 700Credit. ComplyAuto can help you understand and update your records if needed.
Third, while DMS companies maintain highly sensitive information, the nature of the information that has allegedly been affected here is so highly sensitive that dealers should work with all due speed in seeking answers. Given the severity of potential harm to consumers from potential exposure of Social Security numbers, dates of birth, and credit information, dealers may wish to notify their customers even if they cannot ascertain with any certainty the nature or scope of the incident among your customers. Again, that is a difficult legal question about which you should consult with legal counsel.
Act with Urgency Given the Deadlines and the Sensitive Nature of the Data
Again, the most important step you can take now is to reach out to 700Credit to obtain details about whether your customers were affected by the alleged incident – and to do so quickly. Remember that the consumer notice you are required to provide includes important information for consumers about how they can:
- Place fraud alerts on their credit reports
- “Freeze” their credit to prevent unauthorized access
- Take advantage of credit monitoring or other services
- Take other protective measures to avoid identity theft or other incidents
Providing this information promptly—even in the absence of complete certainty—can help your customers take protective action and may reduce potential harm. Note, however, that it is not always an easy decision to send notice to consumers who may not have been affected, as sending a notice when not required can also cause consumer concern and distress. Dealers should consult with their legal counsel, insurance carrier, and IT professionals in deciding whether customer notice is appropriate.
One Last Reminder
The steps above are the most urgent at this time, but don’t forget that this may require you to also assess the risks related to this issue and account for it under the FTC Safeguards Rule. That is not the pressing issue for today (and again, ComplyAuto can help), but don’t forget that incidents such as these will require some steps to be taken (and documented) with respect to periodic assessment of service providers, as well as your information security program under the Safeguards Rule.
Summary
While a data breach can happen to any company, communication is critical. Reach out to 700Credit today. Dealers should (a) get details from 700Credit; (b) notify legal counsel and insurance providers; (c) confirm safeguards and risk assessment documents are completed and signed; (d) use the ComplyAuto Breach Reporting Wizard to determine any reporting obligations, and; (e) consider proactively taking the steps necessary to protect your customers and the dealership.