U.S.-based fintech company 700Credit has begun notifying more than 5.8 million individuals that their personal information was exposed in a data breach.
The incident stems from a July cyberattack targeting one of 700Credit’s integration partners. Attackers discovered an exposed API that allowed access to customer data, but the partner failed to notify 700Credit about the compromise.
700Credit detected suspicious activity on October 25 and launched an investigation with the help of third-party forensic experts. The company determined that records linked to customers of its dealership clients were copied without authorization.
According to Managing Director Ken Hill, the attacker exfiltrated roughly 20% of consumer data between May and October before the vulnerable API was shut down. The breach was caused by a failure to properly validate consumer reference IDs against the original requester.
The exposed data includes:
- Full name
- Physical address
- Date of birth
- Social Security number (SSN)
700Credit is a major provider of credit reporting, identity verification, and fraud services for more than 23,000 automotive and specialty vehicle dealers across the U.S.
The company filed a consolidated breach notification with the Federal Trade Commission (FTC) on behalf of itself and all affected dealer clients, meaning individual customers do not need to file separate notices with regulators. 700Credit also notified the National Automobile Dealers Association (NADA).
To mitigate potential harm, 700Credit is offering 12 months of free identity protection and credit monitoring through TransUnion, with a 90-day enrollment window. Affected individuals are advised to closely monitor their accounts and consider placing a security freeze.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
No ransomware group has claimed responsibility for the attack so far. 700Credit has not provided additional comment beyond the breach notification.
