The compliance certificate is framed on the wall. The written information security program is signed. The Qualified Individual is named, the risk assessment is filed, and your vendor contracts include the right cybersecurity language.
You’re compliant with the FTC Safeguards Rule.
You’re also still vulnerable.
This isn’t a hypothetical. It’s the lesson the automotive industry learned the hard way in June 2024, when a cyberattack against CDK Global, the software platform powering roughly 15,000 dealerships across North America, took dealerships offline for approximately 16 days. The attack began on June 18-19, 2024, and systems were not fully restored until around July 4. Salespeople were writing deals on paper. Service departments couldn’t look up vehicle history. Finance offices couldn’t process contracts.
CDK’s customers weren’t running rogue operations. Many had compliance programs in place. It didn’t matter.
Compliance and security are not the same thing. If your dealership doesn’t understand that distinction, you’re one phishing email away from finding out the hard way.
—
What the FTC Safeguards Rule Actually Requires
The FTC Safeguards Rule, amended in December 2021 under the Gramm-Leach-Bliley Act, introduced prescriptive requirements that took effect on June 9, 2023. The rule applies to any business that qualifies as a “financial institution” under the FTC’s definition. Auto dealerships that offer financing, leasing, or insurance products qualify. The rule requires dealerships to implement a comprehensive information security program covering nine core requirements:
- Designate a Qualified Individual to oversee the program
- Conduct a risk assessment
- Implement safeguards to control identified risks
- Regularly monitor and test those safeguards
- Train staff
- Oversee service providers
- Maintain an incident response plan
- Keep the program current
- Report to the board (or equivalent oversight body)
Most dealerships working with a compliance consultant can check these boxes. The problem is how those boxes get checked.
—
Compliance Theater vs. Real Security
Here’s what box-checking looks like in practice at a typical mid-size dealership:
Risk assessment: A spreadsheet completed annually by the office manager and a third-party IT vendor. It identifies “phishing” and “ransomware” as risks. It recommends antivirus and MFA.
Penetration testing: A vulnerability scan run by the same IT vendor who manages the network. The scan finds no critical findings. No one attempts to actually exploit anything.
Access controls: The DMS has role-based access configured. But the service manager’s credentials haven’t changed since 2019, a terminated F&I manager’s account is still active, and the shared “service desk” login is posted on a sticky note near the cashier window.
Vendor oversight: Contracts with CDK, Reynolds & Reynolds, and the CRM provider include the required security language. No one has audited what data those vendors can actually access or how it’s protected on their end.
Everything above is technically compliant. None of it reflects a dealership that would survive a determined attacker.
—
What a Real Attack Against a Dealership Looks Like
When our team conducts penetration tests against auto dealerships, the attack path is usually shorter than anyone expects. Here’s a representative scenario:
!Anatomy of a Dealership Breach
Phase 1: Initial Access
A spear-phishing email targets an F&I manager with a fake DocuSign notification referencing a pending deal. The manager clicks, enters credentials, and hands over their email login. From email, we find the DMS login in a saved password manager or a “welcome” email thread.
Phase 2: Lateral Movement
DMS credentials work on the internal network. The DMS server is running an unpatched version of Windows Server with SMB signing disabled. We use Responder to capture NTLM hashes from other hosts on the network and crack the service account password within minutes. We now have domain access.
Phase 3: Impact
From domain admin, the options are unlimited: exfiltrate customer PII (names, SSNs, income data from credit applications), access the F&I deal jacket archive, deploy ransomware, or establish persistence for long-term access. We stop here. A real attacker doesn’t.
What the compliance audit didn’t catch: The unpatched server, the NTLM relay exposure, the stale account, the reused password, the susceptibility to phishing. None of these show up in a self-reported risk assessment or a basic vulnerability scan.
—
The CDK Breach Taught a Specific Lesson
The CDK Global incident was a supply chain attack. Attackers didn’t target a single dealership; they targeted the platform that thousands of dealerships trusted. When CDK went down starting June 18, 2024, dealerships discovered two uncomfortable truths:
1. Their incident response plan didn’t account for losing access to their core operating platform for over two weeks.
2. Their vendor oversight program had approved CDK’s security posture based on contractual language, not actual verification.
Both of these are FTC Safeguards requirements. Both failed under real-world conditions.
The FTC doesn’t currently publish enforcement actions against individual dealerships for Safeguards violations the way it does in other verticals, but that posture is shifting. The 2021 amendments included more prescriptive technical requirements precisely because the FTC recognized that vague policy language wasn’t producing real security outcomes.
—
The Gap Between Compliant and Secure
The Safeguards Rule is a floor, not a ceiling. It establishes the minimum baseline for what a financial institution’s security program should look like. It was written to be broadly applicable across thousands of businesses with wildly different technical environments.
It was not written to be sufficient.
A dealership that treats Safeguards compliance as the finish line is a dealership that has done the minimum required by law. That’s a defensible legal position. It is not a defensible security position.
The question every dealer principal and GM should be asking isn’t “Are we compliant?” It’s “If an attacker targeted us today, how far would they get?”
The only way to answer that question honestly is to test it.
—
What a Dealership Penetration Test Actually Covers
A legitimate penetration test scoped for FTC Safeguards alignment should include:
!Dealership Penetration Test Scope
- External network testing: What attack surface is exposed to the internet? Are DMS portals, VPN endpoints, or RDP services accessible from outside?
- Internal network testing: Once inside (simulating a phishing compromise or rogue device), how far can an attacker move? Can they reach customer PII?
- Social engineering: Are staff susceptible to phishing? Can an attacker vish their way past the service desk?
- Application testing: Are the DMS and CRM platforms configured securely? Are API integrations with third parties locked down?
- Physical security: Can someone walk into the service drive, plug into a network jack, and own the domain?
The findings from this test, not a self-reported risk assessment or a vulnerability scan, are what should be driving your security program’s priorities.
Compliance got you to the starting line. Testing tells you where you actually stand.
