There was a car dealer (Honda affiliate) I had the unfortunate "pleasure" of dealing with back in the mid-late 2000s that stored finance applications by numeric incrementing ids. I never did report it, but I was able to pull up a bunch of sensitive info (SSN, DOB, names, addresses) on folks living in NJ. (I didn't report it because bug bounties weren't really a thing back then and the CFAA was).
I managed to get my application removed, but the vulnerability existed for several years until they updated to a new system. The new system also appeared to have some vulnerabilities, but I never invested time to figure it out. I just did not do business with that dealer ever again, and I'm super wary about car dealerships and finance applications these days...I usually get my financing from elsewhere even if it means a bit higher of a payment...thankfully my vehicle is paid off.
There is a huge missing niche for trusted intermediaries of identity information. We’ve been working on this at https://cerebrum.com in a different niche (background checks), but this comment just triggered a slew of ideas…
This isn’t a marketing push so much as an observation. Some company will fill this niche at some point. There is no reason to disclose your SSN to a car dealership if you can share a shielded, verifiable record of your credit history to them.
You can look through my comment history — I am not here to sell a product.
I managed to get my application removed, but the vulnerability existed for several years until they updated to a new system. The new system also appeared to have some vulnerabilities, but I never invested time to figure it out. I just did not do business with that dealer ever again, and I'm super wary about car dealerships and finance applications these days...I usually get my financing from elsewhere even if it means a bit higher of a payment...thankfully my vehicle is paid off.