- Key insight: The attacker gained access to 700Credit’s system by first compromising a third-party partner’s system in July, and then launching the data scraping attack months later.
- Supporting data: The breach compromised names, Social Security numbers, and dates of birth for approximately 5.8 million consumers.
- Forward look: Class action lawsuits have been filed, and 700Credit is providing credit monitoring while auto dealers review their vendor security.
Overview bullets generated by AI with editorial review
Processing Content
700Credit, a major credit check and compliance provider for the automotive lending industry, suffered a data breach exposing the sensitive financial information of nearly 6 million consumers, forcing auto dealers to navigate complex federal reporting requirements.
The Southfield, Michigan-based company discovered the attack on Oct. 25. An attacker exploited a vulnerability in an application programming interface, or API, that 700Credit used to grant partners access to financing data, according to Ken Hill, 700Credit managing director.
700Credit has since secured the API. It has also since dropped a partner the attacker had compromised in an effort to figure out how the API worked.
The breach compromised names, addresses, Social Security numbers and dates of birth for approximately 5.8 million people, according to a data breach notification 700Credit filed with the Office of the Maine Attorney General.
The incident highlights third-party vendor risks facing lenders. The attacker gained access to 700Credit’s data logs by compromising the dropped partner’s system as early as July, though the attack was not launched until late October.
How the vulnerability worked
The attacker, which 700Credit has not named, gained access to 700Credit’s API by first compromising the systems of a second, smaller partner back in July.
That firm, which 700Credit also has not named, provides outsourced finance and accounting services to small auto dealers that lack their own finance offices.
The attacker accessed this unnamed partner’s communication logs, which revealed how the partner’s system communicated with 700Credit’s servers and gave the attacker access to credentials it could use to access the system.
The partner used 700Credit’s API the same way 700Credit’s many other API partners use it — to view consumer information without storing it locally.
The system relies on consumer reference IDs to retrieve the data. However, 700Credit’s system failed to check whether the specific reference ID belonged to the account requesting it.
“We weren’t validating the consumer reference IDs to the original requestor,” Hill said in
Although 700Credit encrypts data on its servers and during transmission, the compromise at the unnamed partner gave hackers access to valid credentials and decryption keys, which they used to make the malicious API calls, Hill said during a December webinar hosted by compliance firm KPA.
“The partner systems have a decryption key … so there is encryption all the way to the delivery to the partner platform,” Hill said during
Once the attackers understood this mechanism, they launched a so-called velocity attack on Oct. 25, bombarding 700Credit’s system with millions of sequential and randomized reference IDs to scrape data from unrelated accounts.
The velocity attack lasted an hour and a half, which was the amount of time it took for security teams to detect the anomaly and disable the compromised API.
In the end, from May to October, the attacker got about 20% of 700Credit’s data.
Although 700Credit closed the vulnerability quickly, the attackers continued to bombard the company’s infrastructure.
The company received a message from the threat actors on Oct. 31 signaling they had ceased their efforts. 700Credit said in
Attacker gave assurances to 700Credit
Hill told CBT News that the company seriously weighed paying the attackers to prevent the release of data — a common tactic in data extortion schemes.
“There were several heated conversations about that,” Hill told the news outlet in response to a question about whether 700Credit considered paying the attacker. “I understand both sides of the argument … but you got a business to run, and you have a responsibility to your customers.”
Hill did not explicitly confirm if the company ultimately made a payment, but he noted that he is operating under the assumption that the stolen data has been contained, based on assurances from the attacker.
“We believe we’ve secured the data,” Hill said. However, for the company to believe that the data is secured, “you’re trusting the word of someone that attacked you,” he qualified.
Regulatory relief for dealers
The breach triggered compliance obligations for auto dealers, which are classified as financial institutions under a Federal Trade Commission rule regarding data breach notifications. The rule mandates that institutions report breaches within 30 days.
To mitigate the administrative burden on 700Credit’s 18,000 dealership clients, the National Automobile Dealers Association, or NADA, coordinated with 700Credit to streamline this reporting.
The FTC accepted a proposal allowing 700Credit to file a single, consolidated breach notice on behalf of all affected dealer clients, according to
“Dealers have no obligation to file a breach notice with the FTC related to this matter,” NADA said in the notice.
However, affected dealers must still navigate state-level notification laws. 700Credit is managing these filings and sending notices to consumers on behalf of dealers, but the legal liability generally remains with the dealership as the custodian of the data.
“Generally speaking, the paradigm is that the dealer is the one … they’re generally liable for these notification obligations even if a service provider is the one that had an issue,” said Brad Miller, chief legal officer at ComplyAuto, during the webinar with Hill.
Legal and reputational fallout
Despite the coordinated response, the breach has already sparked litigation.
“People have already filed class action suits before we even released any names,” Hill told CBT News.
State regulators have also urged consumers to take protective action. Michigan Attorney General Dana Nessel advised residents to freeze their credit and monitor for phishing attempts, according to
700Credit is providing 12 months of credit monitoring and identity restoration services through TransUnion to affected consumers. The company also advised dealers to review their own vendor management processes, a requirement under FTC rules.
“I would encourage dealers to look at their vendors … understand their security policies, processes in place, and understand their cyber security,” Hill told CBT News.
The company confirmed that the breach did not involve ransomware and that forensics teams found no malware installed on their internal systems.