In the wake of Capital One Financial’s data breach, auto lenders should evaluate ways to tighten up cybersecurity and identify points of vulnerability.
The breach compromised 140,000 Social Security Numbers, and 80,000 bank account numbers were made available, according to the bank’s response to the breach. However, the impact might be “somewhat contained,” said Brian Landau, senior vice president and TransUnion’s auto line of business leader.
“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” the bank noted. “However, we will continue to investigate.”
Yet, the threat alone should be enough to prompt auto lenders to double-check their cybersecurity practices, said Jeremy Acevedo, Edmunds‘ manager of industry analysis. “On the heels of a wave of massive data breaches, the auto loan industry needs to redouble security and search for any points of vulnerability,” he said. “With so many involved parties in the auto loan process, it is imperative to get buyers, dealers and lenders on the same page.”
Auto loans include a full complement of sensitive personal data, from SSNs and contact information to employment and vehicle information. “In the wrong hands, this is a treasure trove of information that can be put to ill-use,” Acevedo added.
To that end, lenders should ensure that dealer partners are taking the necessary measures to prevent cyber attacks, Landau said. “With the indirect model today — dealers are [lenders’] first line of defense,” he said. “[Lenders] who are interacting in a digital way need to be more judicious in their ID tech.”
The best tip for lenders is to move away from sharing consumers’ SSNs on the internet via their dealerships’ online financing. “Lenders want consumers to have the ability to reduce friction online,” Landau said, noting that consumers may shy away from a lender’s online portal if they have to share SSNs. In fact, a lender can give a consumer a prequalification with just a name and physical address, Landau said.
Franchise dealership Burlington Volkswagen, for one, is a New Jersey-based dealership that does not require a SSN as a part of its prequalification process, said Ken Luna, vice president of strategic partnerships at CreditMiner. “Dealers should get rid of their financing app online to require SSNs,” Luna said. “It’s easy to misuse it, and it’s easy to fall into the wrong hands.”
CreditMiner, a company that provides bureau data to 1,000 dealership partners, argues that instead, a consumers’ SSN should be shared in person at the dealership once the consumer is ready for a qualified offer. “We are an extension of the credit bureaus,” Luna said. “For [Equifax] to get hacked as they did and continue to use SSNs in the prequalification process — it’s crazy.”
Capital One Financial’s stock was down 7.39%, trading at $89.80 per share on the New York Stock Exchange at press time. The company has a market capitalization of $42.3 billion.