Overview
- Exposed information includes full names, physical addresses, dates of birth and Social Security numbers taken from dealership customer records.
- 700Credit detected anomalous activity on October 25, and a rapid 'velocity' scraping attack that followed lasted about 90 minutes before the vulnerable API was disabled.
- Forensic findings indicate attackers had compromised an integration partner in July, obtained credentials and decryption keys, and abused a flaw that failed to validate consumer reference IDs to the requesting party.
- Company filings say roughly 20% of consumer data was exfiltrated between May and October; the firm reports no evidence of identity theft, ransomware involvement or impact to its internal network.
- 700Credit notified federal and state authorities, coordinated a consolidated FTC filing for dealers via NADA, began consumer notifications, and is offering 12 months of TransUnion identity protection with guidance on freezes and fraud alerts, as class-action suits and state AG advisories follow.