Car retailers have been told “there is no silver bullet” in the fight to avoid potentially devastating data-grabbing cyberattacks as high-profile AM100 businesses continue to recover from hits on their digital systems*.

Layers of digital defences, business-wide awareness and constant vigilance were prescribed as the essential tools to mitigate against the threat to a sector that has become increasingly digital and ever-more appealing to cyber criminals.

Melanie Oldham OBE, the founder and chief executive of cyber security awareness training company Bob’s Business and chair of the Yorkshire Cyber Security Cluster, said cybercrime poses a threat not only to customer data, but to dealers’ entire ability to trade.

“A breach can have huge financial and reputational issues for dealers,” she told AM.

“For smaller dealerships and groups, it could be the end of their business; 60% of small businesses close within six months of a breach.”

LARGE-SCALE ATTACKS

Larger car retailer businesses are also vulnerable as the scale and ambition of cyberattacks escalates.

Pendragon chief marketing officer Kim Costello said hackers left the listed industry giant with no choice but to rebuff a $60 million (£52m) dollar ransom – believed to be the largest made of a private company.

“To be perfectly honest, we felt our only choice was to run and hide or go strong and protect the interests of our associates and our customers,” admitted Costello, speaking exclusively to AM.

“After six weeks of meetings, 10 hours a day, and the support of all Pendragon’s resource of legal experts, cybercrime consultants and insurers it came down to a choice that had to be made. It was extremely nerve-racking.”

Digital monitoring systems initially alerted Pendragon’s IT team to the attack – later attributed to the LockBit ransomware gang – and Pendragon’s legal department quickly turned to a third-party team of cyber experts for help.

The attack was reported to the National Cyber Security Centre, the Information Commissioner's Office and the Financial Conduct Authority.

During investigations it emerged that the hackers had succeeded in accessing 5% of Pendragon’s data.

Its customer data was unaffected, however, as its Pinewood Technologies dealer management system was not breached.

Since the incident Pendragon has redoubled its digital protection.

As well as multi-stage authentication processes, it has ramped-up its spam filter policies and paid for a two-year subscription to Experian data protection for every staff member, Costello said.

“It’s not a case of once and then done,” she said. “It’s highlighted to us the need for constant vigilance and monitoring.

“This is something that is happening to businesses in all sectors across the world and we need to be prepared for it.”

Pendragon’s ordeal followed attacks on LSH Auto UK and Holdcroft Group in 2022 and came months before a Christmas cyberattack on Arnold Clark.Arnold Clark chief executive Eddie Hawthorne recently told AM that, after attending a two-day course on cybersecurity, he “could not sleep for a week”.

Its December 23 attack became a waking nightmare for Hawthorne, with a spokesperson describing the recovery process as a “mammoth task” after the car retail giant was forced to axe internet access to protect its data.

It left the group unable to complete vehicle handovers and it was later reported by the Mail on Sunday that the international hacking ring Play was threatening the business with a huge dump of customer data onto the Dark Web after leaking some of the details taken in the raid.

Upon being contacted about the recent cyberattack on his business, Hawthorne said he was unable to comment on it as the forensic investigation was “still ongoing”.

AN APPEALING TARGET

The recent spate of incidents in the UK’s car retail sector has highlighted cybercriminals’ awareness of the growing volume of valuable customer data being held by a car retail sector looking to drive retention and omnichannel retail through digitalised processes.

Oldham said: “Cybercriminals see the motor industry as an increasingly attractive target due to the huge amounts of sensitive and high value data collected – and is often stored in databases with common access across multiple locations.”

One of the key areas of focus needs to be third-party suppliers, according to the National Cyber Security Centre (NCSC) – a part of GCHQ. Government data shows just 13% of businesses review the risks posed by their immediate suppliers.

Costello told AM that data governance was “the first thing we ask about” when a new supplier relationship is under consideration.

Steve Cross, technical director at PIB Insurance Brokers, said: “The reality is that in most cases it is not in the motor traders’ gift to strengthen their data security as a result. All the customer knows is that they handed over their data to the retailer they bought their car from.”

Cross said that cyberattacks – most commonly ransomware – had ramped-up considerably since the COVID-19 pandemic and described the threat to UK car retailers as “very, very real”.

Data provided to AM by cybercrime and data protection specialists Consultants Like Us suggested there was a 600% increase in cybercrime in 2021 as scammers targeted widespread vulnerabilities posed by homeworking.

High staff churn is also a weakness of the motor retail sector. Departing staff can take passwords and knowledge of systems which could be used to gain unauthorised access to sensitive data, Oldham said, as new staff place high demands on cybersecurity training – an often-overlooked area.

“Having robust, regularly reviewed systems and a continuing programme of training and development for colleagues is the only way to safeguard yours and your customers’ data,” she said.

PHISHING FOR TROUBLE

IBM’s X-Force Threat Intelligence Index report showed that the UK accounted for 43% of attacks observed in Europe over 12 months to February, well ahead of Germany (14%), Portugal (9%) and Italy (8%).

The report found 27% of attacks were aiming to extort money from their targets.

Phishing – legitimate-looking emails or messages seeking to expose the recipient to a dangerous link or elicit systems access information – was the most common method of gaining access to IT systems, accounting for 41% of attacks.

Cross said insurers are increasingly apprehensive about providing cybersecurity cover to a car retail sector for which there was “no silver bullet” solution to cybercrime.

Hamilton Leigh managing director Lee Cohen agreed. He said: “Most insurers will not provide cybercrime cover to a business with a turnover above £100m.

“The largest cybercrime claim we have dealt with to date was for a car retailer targeted by cyber criminals. It was worth £2.5m, so the risks to insurers are considerable.”

Cohen said the most important element of taking out a cybercrime insurance policy was often the legal support and IT expertise attached to it.

And he suggested that Pendragon’s approach to rebuff the demands of hackers is often the correct one.

“There have been many instances where businesses have ignored the insurers and legal advice and paid a ransom only to find that they are then seen as an easy target and the problem comes back,” he said.

MELANIE OLDHAM’S BEST-PRACTICE TO PROTECT AGAINST CYBERATTACKS:

• Prioritise training, from the CEO to the apprentice. Every person with access to a system is a potential gateway for cybercriminals. Training should be regular and include awareness of phishing and malware, password management, data protection and how to respond in an incident.
• Protect passwords to prevent cybercriminals accessing systems by setting a complexity standard and enforcing regular updates. Use three random words, such as TwoPens1Penc!l.
• Multifactor authentication is like having two locks on a door, if someone gets hold of one key they’d still need the other to open it. It might seem like a nuisance, but only takes a moment to input an access code. 
• Limit access to sensitive information to cut down the risk of accidental and intentional breaches. Keeping access to sensitive information on a need-toknow basis will help reduce risk and pin down suspects should the worst happen.
• Regularly update software to patch known flaws in a system, which cybercriminals will target.
• Implement data encryption to protect sensitive information from unauthorised access. As part of GDPR, it’s expected that you store sensitive information securely and encryption is a great option.
• Have a cybersecurity incident response plan known by everyone in the business.
• A fully thought-out plan will limit damage, minimise downtime and mitigate the consequences.

*This feature first appeared in the latest, and final, printed edition of AM Magazine. Access the full, digital version of AM's March edition by clicking here.