The pattern in 2025 was hard to miss: the biggest dealership data breaches did not start inside the dealership. They started at a vendor. Attackers have figured out that hitting one software provider gives them a way into hundreds or thousands of stores at once, and auto retail has become a favorite target. If your compliance program still treats vendor risk as a box to check once a year, this is the year to fix that.
The threat curve is pointing the wrong way
Cyberattacks on the automotive sector are not slowing down. Security researchers at Halcyon report that ransomware now accounts for 44 percent of cyber incidents across the automotive industry, with attack volume roughly doubling over the prior year (Halcyon). Dealerships sit in the blast radius because of what they hold: Social Security numbers, driver’s licenses, and complete financing files on every customer who ever filled out a credit application.
That is exactly the “customer information” the FTC Safeguards Rule tells you to protect, and it is exactly what ransomware crews want to steal and sell.
Two 2025 breaches that prove the point
You do not have to imagine the risk. Two incidents from 2025 show how it plays out.
Motility Software Solutions, a dealer management software provider serving roughly 7,000 RV, powersports, and marine dealerships, disclosed a ransomware attack that exposed the personal information of about 766,000 individuals, including Social Security numbers and driver’s license numbers (ComplyAuto). Those are financial institutions under the same Safeguards Rule your store answers to, and the dealerships on that platform did nothing wrong on their own systems. Their customers’ data was exposed anyway, because the vendor was the target, and the same pattern threatens any dealer whose DMS or CRM becomes the entry point.
Progressive Auto Group was hit directly in June 2025, with the Nitrogen ransomware group claiming responsibility for stealing sensitive data including Social Security numbers, payment card numbers, driver’s license numbers, and financial account numbers (ClaimDepot).
Neither of these is the 2024 CDK Global outage, and that is the point. CDK froze thousands of dealerships for weeks and became the headline everyone remembers. The 2025 breaches were quieter, but they hit the exact data that triggers regulatory and legal exposure.
The FTC already told you to watch your vendors
None of this is a surprise to the FTC. The Safeguards Rule requires covered dealerships to oversee their service providers, not just hire them. In plain terms, the rule expects you to:
- Select providers capable of maintaining appropriate safeguards.
- Contract for those safeguards in writing, so the vendor is obligated to protect your customers’ data.
- Monitor those providers on an ongoing basis, based on the risk they carry.
A vendor that touches customer financial data and cannot show you how it protects that data is not a compliance detail. It is the most likely path to your next breach.
Build a vendor program you can actually run
You cannot audit every integration every week, and you do not have to. You need a program that ranks vendors by risk and keeps evidence. Here is a version that fits a dealership.
- Inventory every vendor that touches customer data. DMS, CRM, F&I menu, digital retailing, texting platform, marketing, credit tools. If it can see a customer’s information, it is on the list.
- Rank them by risk. A provider holding full financing files is a different tier than a vendor that sees only an email address. Spend your oversight where the data is most sensitive.
- Get evidence, not promises. For high-risk vendors, ask for a current SOC 2 Type II report and proof of active cyber insurance. Put security obligations in the contract.
- Enforce least privilege and kill dormant access. Vendors should reach only the data they strictly need. Revoke access the moment a relationship ends or an integration goes dark.
- Assume a vendor will be breached, and plan for it. Your incident response plan should name who you call and what you do when the failure is on their side, not yours.
When a vendor breach becomes your notification
Here is the part dealers miss: a breach at your vendor can still be your reporting obligation. Under the Safeguards Rule, covered financial institutions must notify the FTC as soon as possible, and no later than 30 days after discovering a security event involving the unauthorized acquisition of unencrypted customer information affecting 500 or more consumers. That requirement took effect May 13, 2024, and motor vehicle dealers are explicitly named among the covered institutions (ComplyAuto). It does not stop applying just because the compromised system belonged to a software provider.
So the vendor’s weak security becomes your clock, your notification, and potentially your civil penalty exposure, which the FTC set at up to $53,088 per violation for 2025 (Orrick InfoBytes).
The dealers who come through the next vendor breach in good shape are the ones who saw it coming: they knew which vendors held the crown-jewel data, they had the contracts and the evidence, and they had a plan for the day the call came from the other direction.
Not sure which of your vendors would put you on the hook? A free gap assessment maps your service-provider risk against the Safeguards Rule so you can fix the weak links before an attacker finds them.