5.8 Million SSNs Exposed — The 700Credit Breach Every Dealership Needs to Know About

Every time a customer sits down in your F&I office and fills out a credit application, they’re handing over the keys to their identity. Name, date of birth, address, Social Security number — all of it, flowing through your systems and into the hands of third-party vendors you probably never think about.

Now imagine one of those vendors gets hacked. Not your dealership — their system. And suddenly 5.8 million customers’ Social Security numbers are in the hands of attackers.

That’s not a hypothetical. That’s exactly what happened with 700Credit.

What Happened

700Credit LLC is a Michigan-based company that provides credit reports and identity verification services for auto dealerships across the country. If your dealership runs credit checks, there’s a good chance you’ve used them — or a vendor like them.

In late 2025, 700Credit disclosed that attackers had accessed its dealership web application and copied massive amounts of consumer data. The breach window ran from May through October 2025 — five full months before anyone noticed.

The data stolen included full names, mailing addresses, dates of birth, and Social Security numbers. All unencrypted. All tied to customers who filled out credit applications at dealerships.

How the Attack Worked

This wasn’t a brute-force hack or a sophisticated zero-day exploit. The attackers found a way in through the supply chain.

According to industry reporting, a third-party integration partner connected to 700Credit was compromised first. That gave the attackers access to communication logs that revealed an API — the digital pipeline used to pull consumer data from 700Credit’s system.

Once they had the API, they launched a sustained, high-volume extraction campaign. They were pulling records for weeks before 700Credit detected the activity. Even after mitigation efforts began, attackers reportedly continued to extract data before access was fully shut down.

The lesson here is brutal: the attackers didn’t need to hack your dealership. They hacked your vendor’s vendor.

The FTC Safeguards Rule Connection

Here’s where it gets personal for dealership owners.

The FTC Safeguards Rule requires auto dealerships to implement comprehensive information security programs to protect customer financial data. This isn’t optional — it’s federal law, and the FTC has been actively enforcing it.

Under the Safeguards Rule, your dealership is responsible for:

• Designating a qualified individual to oversee your security program
• Conducting risk assessments of your systems and vendors
• Implementing access controls and encryption
• Monitoring and testing your security measures
• Evaluating the security practices of your service providers

That last one is the kicker. When 700Credit got breached, dealerships that relied on them were exposed — but the FTC still holds you responsible for vetting your vendors.

The National Automobile Dealers Association (NADA) coordinated with the FTC to allow 700Credit to file a consolidated Safeguards Rule notification on behalf of affected dealerships. But that doesn’t eliminate your individual compliance obligations.

What You Should Do Right Now

If your dealership uses 700Credit — or any third-party credit reporting vendor — here’s your action plan:

1. Determine if you’re affected. Contact 700Credit’s dedicated breach line at (866) 273-0345. Review any notifications you’ve received. Check with your DMS provider to confirm which credit vendors your systems are connected to.

2. Review your vendor agreements. Pull your contract with every third-party vendor that touches customer financial data. Look for security requirements, breach notification clauses, and liability provisions. If those clauses don’t exist, that’s your first red flag.

3. Audit your vendor list. Most dealerships don’t even know how many vendors have access to customer data. Credit bureaus, DMS providers, F&I product vendors, marketing platforms — each one is a potential attack vector. Document every vendor and assess their security posture. Our Auto Dealership Cybersecurity guide includes a vendor risk checklist to help you get started.

4. Notify affected customers (if required). Depending on your state, you may have independent notification obligations even if 700Credit handles the primary notification. Consult with your legal counsel — 700Credit has explicitly stated they cannot advise dealerships on specific legal obligations.

5. Strengthen your Safeguards Rule compliance. If you haven’t implemented a formal Written Information Security Plan (WISP), this is your wake-up call. The FTC isn’t waiting for you to catch up. Document your risk assessments, access controls, incident response procedures, and vendor management protocols.

6. Enable MFA everywhere. Multi-factor authentication should be active on every system that touches customer data — your DMS, email, CRM, and any vendor portals. If 700Credit’s breach taught us anything, it’s that credential-based access is the front door for attackers.

The Bigger Picture

The 700Credit breach isn’t just a 700Credit problem. It’s a vendor risk problem that affects every dealership in the country.

Your dealership might have the best security in the world, but if your credit vendor, your DMS provider, or your marketing platform gets compromised, your customers’ data is still at risk. And under the FTC Safeguards Rule, you’re still on the hook.

Vendor risk management isn’t optional anymore. It’s not something you check once a year and forget about. It needs to be part of your ongoing security program — right alongside employee training, access controls, and incident response planning.

The attackers didn’t hack 5.8 million people’s SSNs by breaking into dealerships one by one. They found the single point of failure that connected to thousands of dealerships at once.

Don’t let your vendor be the weakest link.