A major Iowa auto retailer lost phones and computers after an April cyberattack that may have exposed identity and financial data tied to Karl Auto Group customers and employees.
Karl Auto Group operates multiple Iowa dealerships, including Karl Chevrolet in Ankeny, Karl Chevrolet GMC in Webster City and Karl Chevrolet of Stuart. Auto dealers routinely collect sensitive customer and employee records for vehicle sales, financing, service and hiring.
Karl Auto Group said an unauthorized third party gained access to certain computer systems used in its business operations. The company said it began an investigation with a third-party forensic cybersecurity firm and notified the FBI and the Federal Trade Commission.
KCCI reported that the FBI is investigating the cyberattack and that Dealer Principal Bret Moyer said employees arrived at work over Easter weekend without phones or computers. Moyer told the station the dealership did not pay ransom money.
Karl Chevrolet, the group’s flagship Ankeny dealership, publicly acknowledged phone problems for at least five days beginning April 4, the day before Easter. In Facebook posts dated April 4, April 6 and April 8, the dealership said phone lines were down or intermittent, but told customers it remained open and directed them to email, message the dealership or stop by while service was being restored.
The company’s public notice says unauthorized access occurred before March 27, but Karl Auto Group did not become aware of the incident until April 4. During that period, the company said, an unauthorized third party may have accessed files and data stored on its systems.
The potentially affected information includes full names, Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account information, passport numbers and passport images, according to the notice. Karl Auto Group said not every data element was necessarily affected for every person.
Karl Auto Group said it took steps to contain and remediate the threat, added security measures and engaged dark web monitoring services. The company said it has found no evidence to date that personal information involved in the incident has been misused.
The company has not described the incident as ransomware. A ransomware group, however, later claimed Karl Chevrolet on its leak site.
RansomHouse claimed Karl Chevrolet in a post reviewed by DysruptionHub that said the company’s systems were encrypted April 3. That date falls one day before Karl Auto Group said it became aware of the incident and during the access window described in the company’s notice. Karl Auto Group has not publicly confirmed ransomware, data theft or a connection to RansomHouse.
Karl Auto Group’s public notice does not use the word ransomware, does not attribute the incident to RansomHouse and does not say whether systems were encrypted. The company has not publicly confirmed data theft, and its notice says the investigation is ongoing.
It remains unclear whether the access Karl Auto Group said occurred before March 27 is connected to RansomHouse’s claim. Karl Auto Group did not respond before publication to questions about data exfiltration or full system restoration.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
The incident follows a broader period of cyber disruption in auto retail, where dealerships rely on connected systems for sales, financing, service, inventory and accounting. In June 2024, a cyberattack on CDK Global, a major dealership software provider, disrupted those functions at dealerships across North America.
Karl Auto Group has not publicly said how many people were affected, how long computers were unavailable, whether files were exfiltrated or whether all dealership systems have been fully restored. Its public Facebook posts show phone disruptions continued through at least April 8.
Karl Auto Group says its investigation is ongoing and has directed people with questions to a toll-free assistance line listed in its notice.
