December 2020 DriveSure Data Incident

A number of customers have recently been notified that their information may have been compromised. This page details the cause of those notifications.

DriveSure is a suite of benefits that new car dealerships offer to their customers. At one point in time, you might have had your car serviced and/or purchased at one of these dealerships. Your account and information may have been involved in a security incident that affected one of our systems in December 2020. Please note that we do not sell customer information and, though you may receive multiple or delayed notifications from monitoring services, there was a single incident affecting a single system.

Below you will find additional information about the security incident you may have been notified of:

 

What happened?

In December 2020, we discovered that an unauthorized party accessed certain data within one of DriveSure’s hosted systems. Since we first became aware of this, we disabled the unauthorized party’s access and commenced an internal investigation with the assistance of an outside cybersecurity firm.

 

Has data been taken from the system?

In January 2021, we discovered that the unauthorized party who accessed certain data within one of our hosted systems is attempting to sell that data on the dark web – a site that is not easily accessed from the normal internet – or to unauthorized third parties. Through our investigation of the incident, which was supported by cybersecurity experts and law enforcement, we determined that the information that the unauthorized party stole from our systems included customers’ (a) names: (b) addresses; (c) telephone numbers; (d) email addresses; (e) car make/model information; and/or (f) the VIN number of their car. Significantly, the unauthorized party did not access any information on our system that they can use to commit identity theft.

 

What is DriveSure doing about this?

Upon first becoming aware of this, we commenced an investigation with the assistance of an outside cybersecurity firm. To help prevent something like this from happening again, we are conducting a comprehensive review of our cybersecurity defenses and protocols and providing additional cybersecurity training to all our employees.

 

Is DriveSure offering complimentary credit monitoring to individuals whose information may have been accessed or stolen by the unauthorized party?

No. Credit monitoring services are designed to let individuals know when someone is opening a new credit account using their information. Credit accounts cannot be opened using the information that the unauthorized party accessed and/or acquired from DriveSure’s systems, and credit monitoring does not alert individuals when such information is used for unauthorized purposes.

 

We hope that we have answered all your questions about this incident. If you have any additional questions, please email us at contact_us@krexinc.com