Desmoines, Iowa - An Iowa company that sells software and data services to auto dealers has agreed to take steps to better protect the data it collects, to settle Federal Trade Commission allegations that the firm’s poor data security practices led to a breach that exposed the personal information of millions of consumers.

In a complaint, the FTC alleges that LightYear Dealer Technologies, LLC (doing business as DealerBuilt) failed to implement readily available and low-cost measures to protect personal information it obtained from its auto dealer clients.

“Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” said FTC Chairman Joe Simons. “The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third party assessor’s accountability and providing the FTC with additional tools for oversight.”

DealerBuilt develops and sells dealer-management system software and data processing services to auto dealers across the country. The software collects large quantities of personal information about dealership consumers, including names, addresses, birth dates, and Social Security numbers. Its payroll software collects similar information from dealership employees, along with bank account information. The FTC alleges that the personal data DealerBuilt collected was stored and transmitted in clear text, without any access controls or authentication protections.

According to the FTC’s complaint, a DealerBuilt employee connected a storage device to the company’s backup network without ensuring that it was securely configured, leaving an insecure connection for 18 months.

The company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the vulnerability, according to the complaint. The FTC alleges that DealerBuilt failed to take other steps to protect personal data stored on its network such as developing, implementing, or maintaining a written information security policy and training for employees; using security measures to monitor its systems and assets; and imposing reasonable data access controls.

The FTC alleges these failures led to a breach of DealerBuilt’s backup database beginning in late October 2016 over a 10-day period, when a hacker gained access to the unencrypted personal information of about 12.5 million consumers stored by 130 DealerBuilt customers. The hacker downloaded the personal information of more than 69,000 consumers, including their Social Security numbers, driver’s license numbers, and birthdates, as well as wage and financial information. DealerBuilt did not detect the breach until it was notified by one of its auto dealer customers, who demanded to know why its customer data was publicly available on the Internet, according to the complaint. The types of personal information stolen from DealerBuilt—names, addresses and Social Security numbers—are often used to commit identity theft and fraud, the complaint notes.

The FTC alleges that DealerBuilt violated the FTC Act’s prohibition against unfair practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program.

As part of the proposed settlement with the FTC, DealerBuilt is prohibited from transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects. Among other things, the order requires DealerBuilt to implement specific safeguards that address the allegations in the FTC complaint.

The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. In addition, the order requires a senior corporate manager responsible for overseeing DealerBuilt’s information security program to certify compliance with the order every year. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.

The Commission vote to issue the proposed administrative complaint and to accept the consent agreement with DealerBuilt was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.