British trade organization RMI Bodyshops on Monday warned United Kingdom collision repairers that third parties have accessed customer data without a shop’s direct consent.

While there’s a chance shop management systems terms of use allowed entities like law firms and accident management companies to apparently see internal information, there’s also the possibility a hack or other breach exposed the data, RMI Bodyshops wrote in a news release Monday. The organization simply doesn’t know.

“We do not yet know if these actions are legitimate disclosures, the result of a cyber-attack or a physical breach of such systems, so we have taken no chances and launched an investigation,” Executive Director Jason Moseley said in a statement. “We will be pushing hard with our members to bring more transparency and collaborating with the necessary authorities. We must get to the truth.”

The organization, which manages the National Association of Bodyshops and the Vehicle Builders & Repairers Association, had investigated the matter for “several months,” it wrote Monday.

An unspecified “number of our members” indicated details like phone numbers and addresses of customers had passed to the third parties in mere hours, according to RMI.

“As part of an internal investigation, one of the bodyshops involved entered fictitious data into the system to attempt to draw out a reaction,” Moseley said in his statement. “Within a few hours of this data entry, a call was received from an accident management company trying to leverage a compensation claim.

“RMI Bodyshops and its members informed the necessary authorities and have been working together with them behind the scenes. ”

The organization and its members are also evaluating “the terms and conditions of the various agreements in place with repairer management systems, whether they are entitled to do this and the nature, scope and validity of such activity,” according to Moseley.

EMS and BMS

RMI’s alert recalls a 2015 situation in the United States when a collision repairer faced getting suspended from a direct repair program after a VIN database obtained a customer’s loss information.

The VIN service confirmed it didn’t get that information directly from the information provider or the repairer, leaving that shop off the hook “but it further reinforced the need for collision repair business owners to have protocol in place to maintain control of information and data generated by their business,” according to the Society of Collision Repair Specialists.

SCRS and the Collision Industry Electronic Commerce Association have both encouraged the industry to make the switch from the Estimate Management Standard, unsupported since 2003, to the Business Message Specification repair data file format.

EMS seems as though it could allow exactly the type of situation described by RMI.

Its format transmits a “flat file” versus a series of specific “messages” under BMS, according to CIECA. Under EMS, all data related to an estimate can be exported to a party (such as an estimating service/information provider, car rental company or jobber) who has requested the file from a collision repairer — not just the portion needed to accomplish whatever businesses the auto shop needed to transact with that party.

“Why does the car rental company need parts data?” CIECA Executive Director Fred Iantorno said in 2015, giving a hypothetical example. “They get it though.”

“Unfortunately, there are other scenarios where data pumps can be loaded on your computer without your consent or knowledge,” SCRS warned in a July news release. “They could be potentially installed by outside sales representatives visiting your business, be a part of a software or online program that you use in your business albeit unaware of the data collection properties, or in some cases outside call centers may call in and ask your staff to request remote access to you server to correct a connection issue on a program. These examples have all happened, and while they may be legitimate in many cases, it is important to know what pumps are on your system, and that the information is only going to the sources you intend it to go to.”

SCRS offered advice for unwanted access by earmarking data recipients in the release.

Iantorno said Monday both EMS and BMS data files are used in Europe. However, he didn’t have nearly as much first-hand familiarity with the U.K. digital landscape and said he couldn’t offer further perspective on how prevalent each standard was.

More information:

“POTENTIAL SERIOUS DATA BREACH FOR BODYSHOPS AND CONSUMERS”

RMI Bodyshops, June 13, 2016

“SCRS Researches EMS Data Export Options to Identify Data Pumps”

Society of Collision Repair Specialists, July 7, 2015

Featured image: British trade organization RMI Bodyshops has warned United Kingdom collision repairers that third parties have accessed customer data without a shop’s direct consent. (weerapatkiatdumrong/iStock)