Source: Findlay operations nearly idled, losses mount from cyberattack; suit filed
Findlay Automotive Group is reportedly losing millions of dollars a day in revenue after it was hit by a ransomware attack earlier this week, a person familiar with the matter said.
It could take another week before the company can fix the issues, the person told the Las Vegas Review-Journal. It’s unclear if Findlay Automotive has paid any ransom.
Findlay Automotive has scaled back operations at its 33 dealerships and only has a few employees working at each one in case customers show up, the person said. Most employees aren’t working since most sales and service operations have been impacted by the attack.
Duke Zamora of Las Vegas said he bought a 2024 Chevrolet Trax from Findlay Chevrolet last year and called the dealership several times this week to try to get service. He said he was told that the computer systems were down and they couldn’t help him. Zamora, who isn’t involved in the lawsuit, said he had to go to another dealership for the service.
Days after the Las Vegas-based automotive group was hit by the cyberattack it’s already facing a class-action lawsuit claiming it failed to properly protect sensitive customer information in the wake of a cyberattack against the company.
Facing class-action lawsuit
The lawsuit, filed Wednesday in Clark County District Court, says that, since Findlay Automotive was the victim of a cyber attack, it could have compromised customer information that could fall into the hands of bad actors. Customer information that Findlay Automotive could have exposed includes names, addresses, Social Security numbers, insurance policy numbers, credit and debit card numbers, and other financial information needed to sell, buy or lease a vehicle, the suit says.
Findlay Automotive didn’t immediately respond to a request for comment.
The plaintiffs in the initial filing are listed as Karen Smith and Pholisith Bouphapraseuth and are represented by the Stranch, Jennings & Garvey law firm.
“Plaintiffs make the following allegations on information and belief, except as to their own actions, which are made on personal knowledge, the investigation of counsel, and the facts that are a matter of public record,” the lawsuit said.
The plaintiffs want Findlay Automotive to delete all sensitive customer information from its system, pay for any expenses over the lifetime of the plaintiffs related to the fallout of this information getting into the wrong hands, and implement additional cybersecurity measures in the future.
The lawsuit also stated that Findlay Automotive hasn’t notified the plaintiffs on whether their information has been compromised.
Background on incident
Findlay Automotive shared a statement on Monday saying it was dealing with a “cybersecurity issue” that impacted its sales and services department.
“Promptly after becoming aware of the issue, we launched an investigation with the assistance of leading cybersecurity experts and law enforcement,” the statement said. “Our investigation is ongoing, and we are working diligently to resolve the matter.”
The Metropolitan Police Department referred the Review-Journal to the Federal Bureau of Investigation when asked about an investigation into the cyberattack. The FBI said its standard practice is to neither confirm nor deny the existence of an investigation.
How dealerships view cybersecurity
Cybersecurity is an issue auto dealers in Nevada and the U.S. have been worried about for years since every dealership relies on technology to operate, said Andrew MacKay, executive director of the Nevada Franchised Auto Dealers Association. He estimates that Nevada auto dealers spend “millions of millions” of dollars every year on cybersecurity efforts, from employee training, to upgrading a dealership’s hardware and software and other IT components.
MacKay couldn’t comment on Findlay Automotive’s situation or the class-action lawsuit, but said dealerships are reliant on computers and technology to complete sales and service appointments, communicate with car manufacturers and notify customers of important safety information related to their vehicle.
“You have to have technology, end of story,” he said.
Contact Sean Hemmersmeier at shemmersmeier@reviewjournal.com. Follow @seanhemmers34 on X.