Cybersecurity in the Automotive Sector: Securing Dealerships’ Data Assets Amid Growing Threats

A conversation with Giuseppe Serio, VP – Market Development, Upstream Security

In the automotive industry, nearly half the activities black hat and fraud operators worldwide undertake to create disruption and chaos aim to exploit vulnerabilities in IT hardware and software. Twelve percent of those efforts, according to Upstream Security’s (“Upstream”) 2024 Global Automotive Cybersecurity Report, are focused on gaining access to personally identifiable information (PII) and other sensitive data. According to the same report, the financial implications can be significant in terms of business disruption and risks associated with passenger safety, consumer privacy protection, and fraud.

Giuseppe Serio, Upstream’s Vice President of Market Development, says these disturbing facts reflect the industry’s remarkable transformation over the past decade. “The automotive industry is no longer just a world of steel and rubber,” Serio said in a recent conversation in Detroit, where Reuters and the Automotive Information Sharing and Analysis Center both were hosting their annual conferences. “It has increasingly evolved into a tech-driven sector where vehicle connectivity, data integration, and digital services are taking center stage.”

It is a huge and quickly expanding market that some analysts forecast will grow from an estimated market size of $65.6 billion in 2023 to $373.6 billion globally by 2030.¹ It’s a growth trajectory driven by automotive original equipment manufacturers’ (OEMs), suppliers', and dealers' desire to tap into smarter, more connected vehicles and the data those connected technologies create. The collective goal is to discover new ways of connecting with people and creating value. In the best cases, creating value automotive customers are willing to pay for and keep them coming back to a brand during the, on average, 12 years someone in the U.S. owns a vehicle.²

At the forefront of these changes, however, lies a growing concern: cybersecurity and the associated risks that impact companies throughout the value chain and even more importantly, customers. When it comes to cybersecurity and protecting customer data, Serio believes automotive dealers play a special and unique role.

“Dealerships are becoming critical nodes in an ever-expanding digital ecosystem. They face the challenge of securing the sensitive customer data and integrated systems they depend on to drive their business,” Serio said. “But they also have a role in the cybersecurity of the vehicle during important moments in the relationship they have with their customers – whether when a new owner takes delivery of a vehicle equipped with connected services or when the vehicle requires service.”

The Complexity of Dealership Security

Serio believes, noting recent cybersecurity incidents that have impacted automotive retailers in 2024, that dealerships, often seen as the “last mile” in the automotive industry’s complex value chain, are increasingly under siege by cybercriminals seeking to exploit vulnerabilities from vehicle data and customer information to internal software systems.

“Cybersecurity in dealerships is more than just an IT issue,” Serio said. “Dealerships deal with complex data systems, not just for inventory management but for sales and customer relationship management (CRM), too. What’s more, the increasing use of APIs – small but crucial entry points for exchanging data between systems – makes dealerships especially vulnerable to attack.”

He notes that while automotive dealerships are part of a fragmented ecosystem, they are also independently owned businesses that must maintain close ties with OEMs, third-party vendors, and external service providers. This ecosystem, while offering a range of efficiencies, also opens the door for security vulnerabilities.

Application programming interfaces (APIs) – which serve as communication channels between the dealership's internal software, the manufacturer, and third-party service providers – are particularly attractive targets for hackers. These entry points enable the legitimate, seamless transfer of vehicle data, transaction histories, and personal customer information. But as Serio points out, APIs also present a potential weak spot.

“The weakest link in the cybersecurity chain is often at the dealership level,” Serio noted. “Dealerships share vast amounts of data with OEMs and third-party vendors, yet they often lack the resources or infrastructure to secure these exchanges adequately.”

Recent surveys of automotive dealers validate Serio’s perspective. An October 2024 report by eLEND Solutions (formerly DealerCentric) revealed that among the dealerships responding to the company’s survey more than half (58 percent) felt their dealership was somewhat or not at all prepared to manage a potential cybersecurity breach.

While Serio acknowledges that dealers are focusing on enhancing cybersecurity protections, he notes that risks could increase due to the rise in the use of APIs, which has led to an increase in cyberattacks trying to exploit those vulnerabilities. His concerns are about dealerships investing in advanced customer-facing technologies while backend systems – often developed by multiple vendors – could still be vulnerable to attacks due to inconsistent security standards surrounding APIs.

The Value of Data and the Threat of Ransomware

At the heart of cybersecurity threats to automotive dealerships is the increasing value of customer data. With vehicle ownership records, financial transactions, and personal information all stored digitally, dealerships now handle vast amounts of sensitive customer data. From names, addresses, and payment details to vehicle preferences and service histories, this data is a gold mine for cybercriminals.

“Each individual’s data can be worth as much as $100 on the dark web,” Serio explained. “When you multiply that by millions of records, the potential for a massive payout makes dealerships a prime target. Hackers often use social engineering tactics to manipulate employees and gain access to critical systems.”

The rise of ransomware attacks, in which hackers encrypt a company’s data and demand a ransom for its release, has become a major concern for dealerships as they rely on smooth operations and continuous access to critical customer data for business continuity.

“We are seeing a growing trend where ransomware groups specifically target dealerships for their operational dependencies on customer data and communication systems,” Serio said. “A dealership might be forced to pay the ransom just to regain access to their database, especially if they don’t have an adequate backup or a rapid response plan in place.”

Third-Party Vendors and the Risk of Data Breaches

One of the most significant challenges for dealerships lies in managing the risks posed by third-party vendors. Most dealerships depend on external service providers for various functions, such as CRM, inventory tracking, financial software, and point-of-sale systems. While these third-party vendors are essential for operations, they also represent an expanding vector of cybersecurity threats.

“It’s like managing a supply chain,” Serio noted. “If one link in the chain is weak, the whole chain is at risk. Dealerships may not have full control over the security measures of their vendors, and this exposes them to breaches that could affect their customers or disrupt their business.”

For example, a vulnerability in a CRM system could lead to an unauthorized breach of personal customer data, putting both the dealership and its customers at risk. If a third-party vendor fails to implement adequate security protocols, it could leave a dealership wide open to cyberattacks.

While some dealerships are exploring ways to internalize certain functions to reduce reliance on third-party providers, this approach often comes with high costs, requiring significant investments in cybersecurity infrastructure, employee training, and ongoing security audits.

Developing a Resilience Mindset

Given the complexities and risks associated with securing modern automotive dealerships, Serio emphasized the importance of cultivating a “resilience mindset” when it comes to cybersecurity.

“Cybersecurity isn’t a one-time fix,” Serio explained. “It’s an ongoing process. Dealerships need to be proactive, not reactive. Regular staff training, system updates, vulnerability testing, encryption, and robust incident response plans are key components of a resilient cybersecurity strategy.”

Cybersecurity experts agree that routine maintenance and early identification of vulnerabilities are crucial in preventing attacks. Serio likened regular system updates to routine dental check-ups. “If you don’t maintain your systems with regular patching and updates, you’re at risk of much bigger problems down the road.”

According to Serio, developing a resilient security strategy is also about adopting a mindset that views cybersecurity as a business enabler, not just a compliance obligation. "Having strong cybersecurity measures in place allows you to innovate and offer new services to customers without risking your reputation or operational stability."

Data Privacy and the Future of Innovation

As the automotive industry increasingly moves toward a connected vehicle ecosystem, where cars themselves become data-collecting hubs, cybersecurity will only grow in importance. Connected vehicles generate vast amounts of data about driver preferences, vehicle diagnostics, location, and more. As a result, dealerships must prepare to safeguard even more customer data as they expand their digital services.

“The data inside a vehicle is incredibly valuable,” Serio said. “Dealerships will be handling even more information about their customers as vehicles become more integrated with digital services. Protecting this data is not just about security, it’s about maintaining customer trust.”

As Serio points out, secure systems are a critical foundation for innovation. Without the assurance of solid security, dealerships may be reluctant to adopt new technologies or offer new services to customers.

“Security isn’t just a protection – it’s a platform for future growth,” Serio said. “If you can’t trust your systems, it’s hard to move forward with confidence.”

Balancing Risk and Cost

One of the most difficult decisions facing dealerships today is how much to invest in cybersecurity, particularly given the growing complexity and rising costs of security measures. Serio likened the decision to choosing insurance. “Just as everyone selects different insurance policies based on their needs, dealerships must assess their risk levels and decide how much they are willing to invest in security.”

The challenge is finding the right balance between securing operations and ensuring operational efficiency. "Cybersecurity is a cost, but it's also a form of protection for the future," Serio explained. "It's not just about avoiding breaches – it's about securing the future of your business."

Conclusion

The automotive industry is evolving into a digital-first environment where connected technologies, data integration, and innovation are reshaping the way vehicles are designed, sold, and serviced. Dealerships, as the last point of contact for many customers, are essential to this transformation but also represent an increasingly vulnerable link in the chain.

To navigate this new landscape, dealerships must prioritize cybersecurity – not just as a risk mitigation tool but as an enabler of business growth. By embracing a culture of cybersecurity resilience, investing in the right technologies, and managing third-party risks, dealerships can secure their operations and their customers in the digital age.

As Serio emphasized, “Cybersecurity is not just about defending against attacks – it's about enabling business. It’s about building trust, securing customer data, and positioning your dealership for future success.”

With the stakes higher than ever, the automotive sector is at a crossroads, where securing the digital ecosystem is critical to both survival and growth.

1. “Connected Car Market Projections” The Brainy Insights. September 2024. https://finance.yahoo.com/news/connected-car-market-projections-point-233000865.html

2. “US Consumers Keep Vehicles for a Record 12.5 Years on Average” Reuters. May 2023. https://www.reuters.com/business/autos-transportation/us-consumers-keep-vehicles-record-125-years-average-sp-2023-05-15/