A security product vendor on Wednesday warned the Connected Car Insurance USA audience about the sheer amount of customer data available on a vehicle, and the presentation suggested operational and customer service steps a collision repairer might wish to take.
Privacy4Cars.com founder Andrea Amico warned the audience that a car could contain garage codes, home address, previous destinations, and details about calls and texts. (He illustrated this with a clip from the “Death Wish” remake showing how an attack on Bruce Willis’ character’s family is facilitated by a valet snapping a photo of their address off an infotainment system.)
“Criminals are businesspeople,” Amico said. Hacking a car and turning it into a deathtrap is a threat, but it’s hard to make money off of an owner you’ve killed, he said. Targeting personal information is low-risk and potentially more lucrative.
Amico offered the example of a totaled 2013 Porsche 911 Carrera at a salvage yard. A thief could hypothetically obtain the garage codes for the owner’s pricey home; find details like a Social Security number, user IDs and passwords saved under contacts; and authentication PINs in text messages. He asked about the liability for an insurer who took possession of the vehicle and didn’t wipe the data first.
According to the presentation, a 396-vehicle study Amico did with the International Automotive Remarketers Alliance found personal information present 39 percent of the time in salvage vehicles’ phone/Bluetooth systems and 27 percent of the time in their GPS/navigation systems.
Another study found personal information in 99 percent of more than 600 rental vehicles, and 86 percent of nearly 100 vehicles at a United Kingdom auto auction.
He also suggested a body shop referred by an insurer could steal a customer’s identity and garage codes.
“How are you positive that this is not happening?” he asked the audience at the insurance-focused event.
Who’s liable? “You sent them there,” he told insurers in the room.
In a separate interview after the presentation, Amico said he didn’t know of any specific real-world instances of a body shop poaching personal information in this fashion. However, he noted that law enforcement called such a theft a difficult crime to detect.
But it’s not hard to see how a shop’s 1,000 vehicles a year could be an attractive soft-target source of personal information. A 2017 Experian report, for example, demonstrates how much such data can net on the “Dark Web.”
Amico, whose company’s app aggregates OEM instructions for erasing vehicles and coaches laymen or employees of rental car companies and salvage yards through the process, encouraged the audience to start to “practice good PII hygiene.” (Our usual caveat on aggregators: Only the actual OEM directions are guaranteed to be current and bulletproof.)
Asked if a body shop should wipe customer data after a total loss determination, Amico said the earlier the information and liability was removed, the better.
These concerns might seem excessive, but as Amico asked the audience, how many of you would unlock your smartphone and hand it to a stranger?
The presentation and our subsequent conversation with Amico got us thinking about steps more cautious repairers could take to protect customers’ data besides being extra careful about who’s allowed to touch the vehicle.
One option might be just to request the customer back up (if possible) and wipe their own data from the vehicle prior to dropping it off, assuming the car’s operable enough to do so.
Amico had pointed out how every time he swaps out cell phones, the vendor asks if he backed up and erased his data. Given this precedent from a familiar consumer sector, users might be willing to accept a similar inconvenience or procedure from the collision repair market.
On vehicles deemed a total loss while within your shop, it might be a great piece of customer service to offer to wipe the customer’s data yourself. (Amico suggested this could even be a moneymaking opportunity if you’re so inclined.)
The owner might be overwhelmed or flustered by the crash or totaling and not have considered doing so. The shop eliminates one hassle for the customer and shows they care about the owner’s cybersecurity, potentially making a good impression for the next time the owner needs collision services.
Privacy4Cars.com founder Andrea Amico warned the Connected Car Insurance USA audience Sept. 5, 2018, that a car could contain garage codes, home address, previous destinations, and details about calls and texts. (John Huetter/Repairer Driven News)
A 396-vehicle study Privacy4Cars.com founder Andrea Amico did with the International Automotive Remarketers Alliance found personal information present 39 percent of the time in salvage vehicles’ phone/Bluetooth systems and 27 percent of the time in their GPS/navigation systems. Another study by his company found personal information in 99 percent of more than 600 rental vehicles, and 86 percent of nearly 100 vehicles at a United Kingdom auto auction. (Privacy4Cars.com slide; photo by John Huetter/Repairer Driven News)