Motility Software Solutions, a subsidiary of Reynolds and Reynolds, and a dealer management software (DMS) provider serving approximately 7,000 primarily RV, powersports, marine, and related dealerships nationwide, recently disclosed a significant data breach affecting 766,000 individuals. The reported August 19, 2025, cyberattack involved unauthorized access, data exfiltration, and system encryption through ransomware deployment. The compromised information includes personal data such as Social Security numbers, driver’s license numbers, and other personally identifiable information.
The Reported Incident
The breach notification was filed with the Maine Attorney General’s office, as Maine law requires notification when Maine residents are affected. Motility (formerly Systems 2000/Sys2K) reported that it detected unusual activity within certain computer servers supporting its business operations on or around August 19, 2025. The company’s investigation revealed that an unauthorized actor deployed malware that encrypted portions of their systems and restricted access to internal data. Forensic analysis indicates the threat actor may have removed limited files containing consumers’ personal data prior to encryption.
Following discovery of the incident, Motility offered to provide complimentary one-year identity monitoring for affected individuals, with enrollment available through December 19, 2025.
Recent press reports indicate that a group called the “Pear gang” has claimed responsibility, and posted stolen data online. Recent press reports also indicate that this group claims that “four terabytes of data were exfiltrated from Reynolds and Reynolds,”1 although Reynolds has publicly stated that its “systems and network is separate from Motility’s network and was not affected by the incident.”2
Dealer Obligations When a Vendor Has a Breach
Dealers are generally obligated to follow the state and federal requirements related to consumer and agency notification when there is a breach that affects the customer data they maintain— even if the breach occurred at a dealer vendor. ComplyAuto put together extensive guidance materials last year in connection with the CDK breach3, and those same considerations may be applicable here. For dealers that do need to report the breach to consumers, or state or federal agencies, ComplyAuto has a Data Breach Reporting Wizard in our software that will guide you through the process under each state’s specific requirements, as well as those of the FTC.
Industry Implications
Dealers obtain and maintain a tremendous volume of highly sensitive consumer data. This means that dealer vendors, like DMS companies, face significant and concentrated threats from bad actors and ransomware gangs. Dealers must continue to monitor their vendors and ensure that they meet their own legal obligations in connection with a breach. This is another reminder to dealers that not only do they need to have their own internal cybersecurity in order, but they are obligated to ensure that their vendors do as well.
Conclusion
Dealers should view this incident as yet another reminder of the need for enhanced third-party risk management, robust backup and recovery capabilities, and comprehensive incident response planning.
The FTC Safeguards Rule requires dealers to monitor and oversee third party service providers, and to take steps internally and externally in the event of a breach. Contact ComplyAuto today if you have any questions, or want to join the over 10,000 dealers who stay compliant with the FTC Safeguards Rule with ComplyAuto Privacy and Cybersecurity.
This article is provided for informational purposes and does not constitute legal advice. Organizations should consult with qualified legal counsel regarding specific compliance obligations and incident response requirements.
- See https://www.comparitech.com/news/auto-dealership-software-company-notifies-767000-people-of-data-breach-claimed-by-ransomware-gang/. ↩︎
- See https://www.reyrey.com/company/media-center/news-releases/motility-software-solutions-discloses-data-security-incident. ↩︎
- See, e.g., https://complyauto.com/legal-and-regulatory-considerations-for-auto-dealers-in-the-wake-of-a-vendor-security-incident/. ↩︎