Overview
700Credit reported a late-October cyberattack that exposed sensitive data tied to approximately 5.6 million consumers and nearly 18,000 dealerships across North America. The breach was confirmed in a Dec. 4 report and involved an API connection on 700Dealer.com managed by a third-party vendor. 700Credit says it closed the vulnerability and spent two weeks hardening systems.
What Happened
Attackers exploited a third-party–maintained application programming interface linked to 700Credit’s systems via 700Dealer.com. The company detected the intrusion, shut down the unauthorized access, and implemented additional security measures.
Data Involved
Exposed information includes names, addresses, Social Security numbers, and employment details.
Scope and Impact
Given 700Credit’s role in dealership finance, identity verification, and compliance workflows, the incident is among the most significant security events in automotive retail in recent years. The interconnected nature of dealer systems and vendor APIs heightened the reach and risk.
Company Response
- Notified its insurance provider, engaged outside cybersecurity experts, and retained a breach attorney.
- Alerted federal and state authorities, including the Federal Trade Commission (FTC).
- Initiated notifications to dealerships and is progressing with consumer notifications.
- Offering affected consumers 1–2 years of complimentary identity and credit monitoring and a dedicated support line.
- Worked with the National Automobile Dealers Association to secure FTC approval for 700Credit to notify consumers on behalf of participating dealerships.
Key Risks Highlighted
- Third-party and API integrations can expand the attack surface if authentication, access controls, or monitoring are weak.
- Vendor dependencies in dealership ecosystems can magnify the effect of a single compromise.
What Dealers Should Do Now
- Confirm with 700Credit whether your customers’ data was involved and document findings.
- Review and meet state/federal notification requirements; coordinate timing and content with 700Credit, especially where it will notify on your behalf under the FTC-approved framework.
- Revisit contracts and data processing agreements to clarify security and breach-response roles, particularly around third-party integrations and API access.
- Verify that only minimum necessary data is shared; ensure multifactor authentication and role-based access controls are in place.
- Update incident response plans, vendor alert contacts, and customer notification procedures for shared-data scenarios.
What Consumers Can Do
- Enroll in the free identity and credit monitoring offered by 700Credit.
- Consider placing a fraud alert or a credit freeze with the major credit bureaus.
- Monitor financial accounts and watch for phishing attempts referencing the incident.
Outstanding Unknowns
- Identity of the third-party vendor.
- Exact breach start date, duration of access, and whether any demands or communications were received from attackers.
- Whether any dealer-only data separate from consumer records was accessed.
Timeline (as reported)
- Late October: Malicious activity occurred via a third-party API on 700Dealer.com.
- Post-discovery: Vulnerability closed; two-week system hardening period.
- Dec. 4: Report confirms scope; notifications to dealerships underway and consumer outreach in progress.
Bottom Line
This is a significant third-party/API-driven breach in automotive retail. While 700Credit has contained the entry point and initiated regulatory and customer notifications, dealerships should verify exposure and tighten integrations, and consumers should take advantage of monitoring and consider fraud protections.
