DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Dealer-FX warns customers about alleged Xtime vulnerability that could potentially expose customer data

Posted on April 28, 2011 by Dissent

The following email was forwarded to DataBreaches.net by the recipient:

From: Privacy Officer [mailto:[email protected]]
Sent: Thursday, April 28, 2011 10:57 AM
To: Privacy Officer
Subject: URGENT SECURITY CONCERN
Importance: High

Dear Customer,

We are writing to warn you of our recent discovery of a serious security defect in one of our competitor’s systems. The defect, which is in an Xtime system, may compromise your customer database and possibly your own Dealer Management System (“DMS”). As a result of this defect, members of the public are able to gain unrestricted access to ALL of your customer lists, including names, addresses, VIN’s, email addresses, and telephone numbers.

Additionally, because the defect allows for the display of a dealer’s DMS system type, modem dial-in number, and DMS login and password information, we believe that, in some cases, this could also enable members of the public to access your dealership’s customer information and other business information.

As you are a valued client, Dealer-FX’s primary concerns are for your security and the integrity of our relationship. This is why we are coming to you and all of our other clients directly with this information. We want to assure you that we discovered the defect inadvertently; we did not use hacking or any other unscrupulous means. We have reported the defect directly to Xtime Inc., and given them the information necessary to take immediate and appropriate action.

We are uncertain as to the damage (if any) that may have been caused to you or your customers as a result of the security defect. However, given the seriousness of this issue, we recommend that you contact Xtime if you have concerns about the extent of your exposure and/or the security of your data and systems. And please do not hesitate to call us if you’d like to discuss this matter further.

Sincerely,

Sandor Segal | Director of Operations and Privacy
Dealer-FX Group, Inc.

Xtime’s web site describes Xtime as

the leading provider of Web Scheduling and Customer Relationship Management (CRM) solutions for automotive service departments in the US. With over 3,000 dealerships enrolled and over 24 million appointments booked, Xtime is well positioned to deliver the innovative service solutions required for today’s market.

A spokesperson for Xtime informs DataBreaches.net that they received notification from Dealer-FX minutes before Dealer-FX sent its email warning to customers.  Xtime started investigating the reported vulnerability immediately and by 9:45 am today, had modified perms for a feature that had enabled limited access to customer data.  According to the spokesperson, only a small number of dealerships might have been affected, but they are still investigating the problem.  The spokesperson confirmed that customers’ names, vehicle descriptions (which includes VIN) and email addresses were potentially viewable, but Xtime’s investigation has not yet confirmed or disconfirmed whether any addresses or telephone numbers were viewable.  So far, they have identified only one IP address that may have accessed a limited amount of data, but it is not clear whether that IP is associated with a Dealer-FX employee or not.

Xtime plans to contact any customers who may have been affected after they get more information from their investigation. Their spokesperson points out that so far, there is no indication that there was any mass collection of customer data, nor any confirmation of all of Dealer-FX’s claims, including claims about DMS vulnerability to access.  The company plans to provide more information when it’s further into its investigation.

Category: Breach IncidentsBusiness SectorExposureU.S.

Post navigation

← Defending the Digital Gates: Universities and Cyber Security
TX: Combs: More help on way for those affected by data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.