To Our Valued Dealer Community,

We want to keep you up to date on the recent cybersecurity incident as we move toward the final stages of investigations. We have no higher priority than maintaining the trust of our customers and are taking this incident extremely seriously.

‍

Q: What happened? 

A: Our investigation, which is being done in partnership with a leading cybersecurity firm, shows this was an isolated security incident that was contained promptly and appears limited in scope. At this time, there is no indication that the incident involved a broad set of highly sensitive data. We also have no indication that dealer data feeds, APIs, dealer CRMs, core systems or products used by our dealer partners or consumers have been compromised.

CarGurus has remained fully operational, and our services continue without interruption.

‍

Q: Was any of my account data exposed during this incident? 

A: The data mainly included publicly available dealer names and contact details. In the rare cases where sensitive dealership information may have been involved, we contacted those dealer partners directly. If you have not been contacted, we do not currently believe your dealership's sensitive information was affected.

‍

Q: When and how were dealers notified?

A: Once we had a preliminary understanding of potential impact to our dealers, we sent an email to all primary dealership contacts and published an update to our dealer-facing site on Feb. 22. We have also continued to communicate updates with dealers directly as our investigation has progressed. 

‍

Q: Do you recommend we rotate credentials or reissue API keys?

A: There are no indications in our investigation that any dealer data feeds, APIs, dealer CRMs, core systems or products used by our dealer partners or consumers have been compromised. Our platform has remained operational and there is no evidence that user accounts are at risk. 

We do not believe dealer passwords are at risk, but we always recommend using strong passwords as an extra precaution. If you’d like help updating your credentials, our team can assist at Support@CarGurus.com.‍

‍

Q: Does CarGurus have any direct access to our store systems or third-party platforms that could be compromised?

A: Our investigations show this was a limited event involving an internal company database, which was promptly secured. There are no indications at this time that any dealer data feeds, APIs, dealer CRMs, core systems or products used by our dealer partners or consumers have been compromised. 

Our platform has remained operational and there is no evidence that user accounts or dealer store systems were at risk.

‍

Q: Is there anything we should monitor for on our end?

A: CarGurus will continue to monitor the situation closely and will communicate directly with dealers if any additional steps are recommended. With cyber events on the rise, as a general best practice, we recommend: 

• Remaining cautious of unsolicited or suspicious emails and avoiding clicking links or opening attachments from unknown senders
• Holding regular cybersecurity training with staff so that they’re aware of employee-targeted risks like e-mail and voice phishing
• Whenever possible, use multi-factor authentication for account log-ins and avoid SMS as an authentication method, which isn’t considered to be as secure

‍

Q: I received an email claiming my information was compromised in the cyber event, what should I do?

A: These emails are most likely scams from opportunistic third parties and are not connected to the incident. We have no evidence that dealer systems were involved in this event. Do not respond, click links, open attachments, or send payment.  Delete the email and remain cautious of similar phishing or extortion attempts.