Cyber Incident Victim: Findlay Automotive Group
Date:
Jun 2024
Location:
United States of America
Summary
Findlay Automotive Group experienced a ransomware attack disrupting IT systems, severely limiting sales and service operations across its dealerships and causing significant daily revenue losses. The company initiated an investigation with cybersecurity experts and law enforcement while maintaining limited operations with minimal staff. A class-action lawsuit alleges failure to safeguard sensitive customer data—including names, financial details, and Social Security numbers—potentially exposed during the incident, demanding deletion of compromised information, lifetime compensation for affected individuals, and enhanced security measures. The attack's operational impact forced customers to seek alternative service providers, and the company has not yet confirmed specific data breaches to impacted parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Findlay Automotive Group, operating dealerships across Nevada, Utah, Arizona, Washington, and Idaho, publicly disclosed a cybersecurity incident on June 10, 2024, though the attack itself occurred earlier that week. The company characterized the event as a ransomware attack that disrupted critical IT systems, severely limiting sales and service operations across its 33 dealerships. Findlay initiated an investigation promptly upon detection, engaging external cybersecurity experts and coordinating with law enforcement agencies, though the Federal Bureau of Investigation maintained its standard policy of neither confirming nor denying involvement. Operational impacts were immediate: dealerships remained open with skeleton crews, but most employees could not work due to system outages, forcing customers like Duke Zamora—a 2024 Chevrolet Trax owner—to seek vehicle servicing at competing dealerships after repeated unsuccessful attempts to contact Findlay Chevrolet. The company advised affected service customers to visit dealerships in person or call directly for assistance, acknowledging persistent technological limitations.
Financial repercussions emerged rapidly, with internal sources estimating daily revenue losses in the millions of dollars and projecting at least another week before full system restoration. Concurrently, a class-action lawsuit filed on June 12, 2024, in Clark County District Court accused Findlay of inadequate data protection measures, alleging potential compromise of customer names, addresses, Social Security numbers, financial account details, and insurance information. Plaintiffs Karen Smith and Pholisith Bouphapraseuth sought court-mandated data deletion, lifetime identity protection coverage, and enhanced cybersecurity protocols, noting Findlay had not yet informed customers about specific data breaches. Industry commentary from Nevada Franchised Auto Dealers Association executive director Andrew MacKay contextualized the attack, emphasizing auto dealerships’ systemic reliance on technology for sales, manufacturer communications, and safety notifications while highlighting substantial sector-wide investments in cybersecurity training and infrastructure. Findlay’s ongoing investigation continued without public confirmation of ransom payments or detailed forensic findings as of mid-June 2024.