700Credit, a provider of credit and identity-verification solutions for automotive, RV, powersports, and marine dealerships, has disclosed a data breach affecting personally identifiable information (PII) for an undisclosed number of consumers.
The incident has prompted a coordinated response involving cybersecurity experts, federal authorities, and the National Automobile Dealers Association (NADA), with significant regulatory implications for dealerships across the US.
Details of the security incident
According to a statement from the Michigan-based company, a “bad actor” gained unauthorized access to certain PII housed within the 700Dealer.com application layer. Exposed information included names, addresses, and Social Security numbers. No evidence of identity theft, fraud, or misuse has been identified to date.
700Credit stated that third-party cybersecurity specialists found no impact on the company’s internal network or core systems and confirmed that “all activity is limited within the 700Dealer.com application layer.” The company emphasized that operations remain unaffected and that services continue as scheduled.
The firm has mailed detailed notices to impacted dealers and is in the process of notifying affected consumers. Impacted individuals will be offered credit monitoring and additional support. A dedicated hotline has been established at (866) 273-0345 for questions.
Regulatory response
Because the breach involved unencrypted customer information, it raised immediate questions about whether dealers using 700Credit must individually notify the Federal Trade Commission under the FTC Safeguards Rule. The rule requires financial institutions, including auto dealerships, to provide electronic notice to the FTC within 30 days of discovering a “notification event” involving data on at least 500 consumers.
If interpreted strictly, each dealer client whose customers’ data passed through 700Credit could be obligated to submit an individual breach report, including details of the incident, the type of data compromised, and the scope of exposure.
To address this potential regulatory burden, 700Credit filed a breach notice with the FTC on its own behalf and pursued an option to file a consolidated notice covering all affected dealer clients. NADA, working with 700Credit’s legal counsel, formally proposed this consolidated approach to the FTC. According to NADA, “700Credit would complete all of the required data fields based on available information, including the identity of its affected dealer clients.” This filing would satisfy any FTC reporting obligations triggered by the breach.
The FTC has accepted the proposal, meaning dealers “have no obligation to file a breach notice with the FTC related to this matter.” Dealers may opt out of this arrangement, but doing so would require them to determine independently whether a notification event occurred and file their own notice if required.
Implications for dealerships
While the FTC’s acceptance of a consolidated filing relieves dealers of a significant administrative and legal burden, it does not eliminate all responsibilities. NADA emphasized that the broader Safeguards Rule remains fully in effect. Dealerships must continue to maintain compliant information-security programs, monitor vendors, and prepare for future incidents.
Dealers must also be aware that state-level data breach laws remain in force. As NADA clarified, “the FTC’s acceptance of this proposal has no effect on state notification requirements.” Many states mandate rapid notification to both consumers and state attorneys general, often with requirements that differ from federal rules. Dealers are advised to consult legal counsel to determine whether additional state-level reporting is necessary.
700Credit stated it has already notified the FBI and the Federal Trade Commission and will notify state attorneys general on behalf of dealers. The company reiterated that it cannot advise dealerships on their specific legal obligations, underscoring the need for legal consultation in cases where state regulations may apply.
Broader security concerns
The incident comes at a time when cyberattacks targeting the automotive retail sector are increasing, particularly against third-party service providers that handle sensitive consumer financial information. With over 21,000 dealership clients and more than 250 integration partners, 700Credit holds a substantial footprint in the industry. Its services include credit bureau data, identity verification, fraud detection, and soft-pull tools used widely at the early stages of the sales funnel.
Because thousands of dealerships rely on the company’s platforms for core finance and insurance (F&I) functions, any breach carries amplified risk. Even without evidence of misuse, exposure of Social Security numbers and other sensitive data creates long-term vulnerabilities for affected consumers, requiring ongoing monitoring.
Next steps
700Credit has pledged to “take extraordinary steps necessary to assist consumers and notify required parties on behalf of dealers.” The company said it is working directly with NADA to ensure consistent communication and regulatory compliance.
Dealers can expect further direct updates from 700Credit as the investigation proceeds. The industry will be watching closely for additional findings, particularly regarding how the attacker gained access and what long-term cybersecurity enhancements will result.
The FBI warns holiday scammers are hitting email, social media, fake sites, delivery alerts, and calls, with new data showing losses and complaints rising.
