Avoiding Data Breaches
Dale Opeka’s stomach sank.
His body shop’s computer software had just been compromised by an outside source, and the experts he consulted with had exhausted every troubleshooting idea they could think of.
“They threw up their hands and said, ‘You’re on your own,’” Opeka says, recalling a 2013 incident. “And I didn’t honestly know where to go.
“It was a week full of torture.”
Opeka, the owner of Opeka Auto Repair in McMurray, Pa., was about to get a crash course in dealing with data breaches.
Here’s how it happened: A software provider stopped by the longtime family shop near Pittsburgh and performed a server upgrade. Yet, somewhere in the process of transferring data to the shop’s new server, an email was received by the Opeka Auto Repair staff. The email featured a bot, Opeka explains.
“Someone opened it and ... they took over our complete database,” he explains. “Any data-based programs that we had became non-functional.”
The Opeka Auto Repair staff spent much of the next week trying to resolve the data breach and restore key data, spending nearly $600 on data restoration and anti-spyware programs.
Meanwhile, Opeka discovered that the hackers responsible for the data breach demanded a $500 ransom, paid out in Bitcoin.
Data breaches—incidents in which information is stolen without the knowledge of a system’s owner—leave business operators feeling like they’ve been taken advantage of. And, by all accounts, these situations are happening at body shops throughout the U.S. and Canada.
Data breaches are nerve-wracking to say the least. It’s a feeling Sandy Panduro, like Opeka, knows all too well.
Two years ago, Panduro’s Fix Auto Sun Valley (Calif.) location had its server get ransomed. The shop’s staff came in on a Saturday morning and found that not a single computer file could be opened. A ransom note indicated that Panduro’s staff needed to pay hackers via Bitcoin in order to obtain a password to unlock and recover the shop’s computer files.
“In the end,” Panduro recalls, “we invested in used laptops to at least write estimates temporarily, new firewalls, a new backup system, and countless IT man hours to recover our files after a week’s worth of work.”
Not all data breaches that affect body shops these days are as elaborate, or involve Bitcoin. In the course of reporting for this story, FenderBender spoke with multiple shop owners who have had first-time customers visit their shop for a simple estimate, eventually opt not to get their vehicle’s small issue repaired, yet soon find wording such as “damage repair estimated’ attached to their vehicle through digital vehicle history reports. The culprit in those situations, industry veterans claim, are data pumps associated with shop management systems.
Considering the immense amount of data that now flows in and out of body shops, data breaches, it would appear, are destined to impact—and frustrate—those in the collision repair industry for the foreseeable future
“Not being able to get [the data breach] fixed through any means, other than paying those people, was extremely frustrating,” Opeka recalls.
In Scott Funk’s experience, no one is immune to the threat of a data breach.
Funk, the IT manager at Global Finishing Solutions, has worked in that realm since before the internet came into existence. And he says hackers are as ubiquitous as ever these days.
“You’ll be targeted almost every day,” Funk says. “Really, all [hackers] want is access to your email mailbox—to look for bank account information, routing numbers, check numbers, and credit card information.
“Hackers … they’re just looking for the quickest, fastest way to make a buck.”
As cars become more technical, anything a shop employee scans on a vehicle is saved on a shop computer. Compounding the potential for problems is the fact that, many elements of collision repair are time-sensitive; estimates need to be written efficiently, damage photos need to be sent quickly, and shops are graded on those things, which means shop employees are often in a rush to download information.
And, because of that, if shops don’t have good security, it’s surprisingly easy for that information to be stolen.
Data breaches tend to occur at body shops due to outside emails, or from shops not fully protecting their WiFi.
In the case of emails, often hackers disguise themselves as insurers or customers to lure shop employees into downloading a virus via an attachment such as an apparent photo for a vehicle estimate.
Meanwhile, many shops are taking steps to protect their WiFi from potential hackers.
There are a couple main data breach warning signs to be mindful of, according to Funk:
slow computer system speeds and a sudden inability to apply a computer company’s antivirus updates.
“Maybe your system is slowing down a noticeable amount,” he says. “All of a sudden, things that were running well are taking 10 times longer—it takes longer to open files, longer to get out to the Internet.
“Another common red flag along those lines is if you’re no longer able to apply security patches. Maybe your anti-virus is disabled—that’s an absolute red flag.”
By most accounts, data breaches are a growing threat throughout the collision repair industry. But preventing data breaches is possible.
Doing so simply involves multiple steps. And, all too often, body shop operators are failing to take the required preventative measures.
“Body shop [operators] think that having Norton anti-virus software is good enough,” says Jeff Harlan, the manager of network services for United Systems, a Kentucky-based company that manages IT for roughly 100 businesses. “There’s this idea that, ‘All I have to do is buy anti-virus software and I’m good’—which is so far from the truth it’s not even funny.
“Most body shops don’t have legitimate firewalls. So there’s no monitoring going on, there’s no outside defenses, and there’s not even the idea that I might be attacked, because, ‘Who cares; I’m just a small little body shop.’ And the reality is that hackers out there can scan the internet in just a few minutes for open ports.”
Harlan says that hackers are like cockroaches, just looking for any point of entry into intriguing places.
Hackers, he says, “don’t care what’s behind the door. They’re just looking for one they think they can get through. And then they determine whether or not it’s worth doing anything with.”
FenderBender spoke to numerous industry sources, seeking their advice for thwarting such hackers. Here’s what they had to say.
Lock all Computers. Any time a shop employee steps away from his or her computer—be it to check an estimate, to look at a VIN number, or to take a picture—it should automatically lock. After all, it doesn’t take long for information to be stolen off a computer.
It’s also wise to implement complex, varied computer passwords (phrases are usually ideal, experts say, and easy to remember) that change every 90 days or so. In the same vein, industry insiders say it’s ill-advised to use the same password for multiple accounts or systems.
Limit Access to Data. It’s important to consider the security of computer data, especially the data confined on your shop floor. Gene Fenske, business account manager with Axalta Coating Systems, has often seen proof of that fact.
“It’s astounding how many shops have internet connectivity on their mixing machine computers with no virus protection,” Fenske says. “I know of at least two shops whose business networks were slowed by viruses after employees surfed the net on shop computers—one was an owner’s son, so also be aware of people that may access the system without your knowledge.”
Fenske also says it’s important for shop owners to make sure they maintain control of remote access and login information when employees resign or are terminated.
Don’t X Out of Updates. Though waiting out a computer update can feel excruciatingly long, closing out of those too early can prove costly.
“You’re allowing a hole to be opened up by clicking past those security patches and updates,” GFS’ Funk says. A hacker might … gather your passwords. They could possibly set up a remote control type of thing to be able to look at files on your computer. The other thing that can happen is you can get so far behind on those patches and updates that you risk basically breaking your computer.”
Pay Close Attention to Software Changes. Harlan suggests keeping an eye out for any changes to shop elements like accounting software. Accounting software like QuickBooks, for example, is often a target of hackers.
“Let’s say that you see a transaction in QuickBooks that you know you didn’t do, or a transaction in QuickBooks is missing,” Harlan says. “Sometimes, what hackers have done is they’ve stolen the data [and] it messed up a record, or a row, within the database, so you can’t search things that you could search a couple days ago.”
Keep a List of Known Threats. It can be helpful for body shop staff to compile a running list of known suspicious entities, such as companies that are sending emails that appear to be spam. And, if those employees keep their IT resources up to date on that list, those technology experts can set up auto-blocks on shop computers.
That way, a shop’s computers will automatically recognize suspicious digital activity and won’t allow any attempted automatic downloads.
Keep Tabs on Scan Tools. It’s a warning multiple industry insiders say to be mindful of: If you notice someone on your shop staff bringing in their own personal scan tool, ask them why. Because, the insiders say, if a staff member brings in their own scan tool, claiming that it’s faster than what the shop can offer, it’s a red flag.
“If an employee comes in with their own scan tool, that’s a big red flag,” says McConnell Trapp, a computer expert and director of Speed Trapp Consulting (see sidebar “How Hackers Attack”). “If you see someone with a scan tool that’s not authorized, question them—‘What are you doing, and why?’ … You need to have a very restricted chain of custody.”
Manage Your Computer. Regularly patching or updating your computer’s operating system is critical in 2019. After all, those security measures can often unearth and pinpoint vulnerabilities within computer software, helping businesses make key adjustments.
“If you’re in a Windows or Mac environment, patching the operating system is critical,” Funk says. “It can take some time, but applying those patches and rebooting is important. … If there’s an exploit in an operating system that has been published on hacker sites, Microsoft will release security patches immediately to fix those—it’s important to apply that as quickly as you can.”
Purchase Specific Insurance. Insurers now sell specific coverage for data breaches known as “cyber liability/social engineering coverage.” That coverage, which starts at $3,000 per year, covers the loss of revenue, in addition to the expenses of the breach.
And beware—as Panduro, of Fix Auto Sun Valley notes, “the limited coverage included with most policies covers none of this.”
Use Free Resources. Many forms of estimating software, and a lot of insurance software, are associated with their own set of IT employees. And, you’re unlikely to be charged if you, as a shop operator, contact them, seeking their troubleshooting expertise.
Typically, a body shop staff can tap into those resources for free, because it is using the company’s software.
Seek Local IT Help. While it would be ideal for every body shop to have dedicated IT employees, most in the industry agree: due to the modest size of most collision repair businesses, budget constraints make that unrealistic. Hiring a local or regional IT company that’s well-respected can offer peace of mind when computer software is compromised.
Most of the industry experts FenderBender spoke to agreed: It’s most ideal to use an IT company that’s local, so you can meet IT experts face-to-face and build a level of trust.
Dale Opeka can still vividly recall the roughly 20 work hours he spent back in 2013, as he was gripped with anxiety, trying to fight a faceless adversary.
Battling hackers is frustrating, to say the least.
“Once I paid them, they sent me a code and I plugged it in, and boom, we were up and running again,” Opeka recalls. “But that was an unnerving experience. The whole experience took one week to totally resolve. It sure was frustrating to go back to doing things by hand.
“I was extremely relieved when everything was back running again.”
Nowadays, Opeka Auto Repair protects its computers via antivirus software and firewalls.
“And,” he says, “we explicitly tell everyone that works there not to open any emails if they don’t know where they came from; just delete them. So, we have not had a problem since.
“But that [2013 data breach] was nerve wracking—it was like, ‘Here we go, we’re just throwing money away.’
“It was just an interesting experience, let me tell you. I was fascinated by the whole process.”