700Credit Data Breach Incident – The Latest

Summary
700Credit has confirmed a data breach involving dealer customer data—including names, addresses, and Social Security numbers—copied without authorization between May and October 2025. 700Credit has committed to providing required federal, state, and consumer notifications on behalf of dealers, as well as credit monitoring services, unless a dealer opts out by December 5, 2025, at 5:00 PM ET.

Dealers must still take immediate action:

• Contact 700Credit to confirm exactly what notices they will send on behalf of your dealership, and obtain written confirmation that their notifications fully satisfy every applicable state and federal requirement — especially the specific state-by-state notice requirements highlighted in this update.
• Request a full list of affected customers, their states of residence, and the specific compromised data.
• Notify your insurance carrier and review your 700Credit contract for potential indemnification rights.
• Appoint an internal point of contact for consumer and regulatory inquiries.
• Ensure your Safeguards Rule documentation is up to date, including vendor risk assessments, vendor GLBA Safeguards Rule addenda, and updates to your Information Security Program.

ComplyAuto customers can use the Data Breach Wizard to verify state-law requirements and rely on ComplyAuto for vendor documentation, risk assessments, and updates to Safeguards Rule materials.

Background
This alert provides an update to our December 1, 2025 notice regarding the recent 700Credit data breach incident.  First, it is now clear that a data breach did in fact occur involving dealer data stored by 700Credit.  We are aware of several communications from 700Credit and others, as well as additional press reports confirming the incident, and providing details of what occurred. 

IF YOU ARE A 700CREDIT CUSTOMER AND HAVE NOT BEEN IN COMMUNICATION WITH 700CREDIT, YOU SHOULD CONTACT THEM NOW. 700Credit has provided the following contact information for questions about the breach and 700Credit’s response:
Phone: (866) 273-0345 | Website: http://www.700credit.com.

Based on recent communications from 700Credit and others, we now have clarity on the steps 700Credit has committed to take on behalf of dealers and the actions dealers must take to ensure full compliance with federal and state requirements.

According to 700Credit, on October 25, 2025, 700Credit discovered suspicious activity within its web-based application, 700Dealer.com. The investigation determined that customer data was copied without authorization between May 2025 and October 2025. 

The compromised data was: (a) apparently exposed in an unencrypted manner¹, and (b) includes consumer names, addresses, and Social Security numbers. That is important because it is only unencrypted data that includes a consumer’s name in combination with the Social Security number that triggers the consumer breach notice obligation under most state laws.

Steps 700Credit Has Reportedly Committed to Take on Behalf of Dealers
It is our understanding that 700Credit is committed to providing the requisite notice to:

1. The Federal Trade Commission pursuant to the FTC Safeguards Rule
2. Affected consumers pursuant to stat
3. State agencies and AG offices as required under state law. 

If those steps are taken in a timely manner and compliant with state law, that should satisfy dealers’ obligations under state and federal law. 

What Should Dealers Do Now?
While it is a very positive step that 700Credit has agreed to address these issues.  This does not necessarily end the inquiry for dealers.  Dealers should still undertake the following critical actions as soon as possible:

1. Communicate with 700Credit and Obtain Commitments
Contact 700Credit immediately to confirm the specific steps they will take on your dealership’s behalf. Request and obtain a written commitment from 700Credit that their notices—if provided—will meet ALL state and federal requirements applicable to your dealership

Remember: Each state data breach law is different. It is critical that you confirm 700Credit’s notifications will satisfy the requirements in the specific state(s) where your affected consumers live. Ask 700Credit to specify:

• Which states’ notification requirements their consumer notices will satisfy
• What specific statutory requirements are being met in each state
• Whether any additional state-specific actions are required by your dealership

2. Obtain Affected Customer Information
Request from 700Credit: (a) A complete list of your dealership’s customers who were affected by this breach; (b) The state(s) of residence for each affected customer, and (c) the specific types of information compromised for each customer.

This information is essential for: Determining your state-specific notification obligations; Updating your Safeguards Rule policies and materials; Assessing potential liability exposure; Responding to potential customer inquiries, and; Meeting potential documentation requirements under state laws.

Further Details and Considerations

1. FTC Notification
As noted above, 700Credit has agreed to notify the Federal Trade Commission (FTC). Specifically, 700Credit has committed to the following actions with respect to the FTC:

• Filing a consolidated breach notice with the FTC on behalf of all affected dealer clients
• Completing all required data fields in the FTC notification, including:
  • Types of information involved in the breach
  • Summary of the notification event
  • Identity of affected dealer clients
• Satisfy the FTC Safeguards Rule reporting obligation for dealers (unless dealers opt out by December 5, 2025 at 5:00 PM ET)

Important Note: The FTC has announced that they have accepted this consolidated filing approach. Dealers who do not opt out will have no separate FTC filing obligation for this incident. However, dealers can opt out by contacting optout@700credit.com, in which case they will be responsible for their own FTC filing if they determine a notification event has occurred.

Note also, that the filing, while submitted by 700Credit, will list dealers whose customers were affected by the breach. These dealer names will therefore be exposed on a public-facing FTC website.  Moreover, it is unclear if this filing will be made only for dealers who meet the 500 consumer reporting threshold, or if 700Credit will file a report for all affected consumers and dealers regardless of whether a particular dealer had 500 consumers involved or not.  Dealers should consider the implications of that in determining whether to opt-out or not. 

2. State Agency Notification
700Credit has also committed to notify state and federal regulators as required by applicable law.  Note however, that each state has different breach notification requirements with respect to state agencies.  Some require, for example, the AG to be notified, and often in a specific manner. There are some states that have further requirements, such as notifying consumer reporting agencies or others. Dealers should ask 700Credit to confirm that all relevant notification requirements are met.

NOTE: ComplyAuto customers can use the Data Breach Wizard tool in ComplyAuto’s Privacy software to confirm the requirements in your state.

3. Consumer Notice
700Credit has also committed to provide notice to affected consumers, as well as credit monitoring and a dedicated support line.

The notice will be supplied directly via individual mailing or other appropriate means. With a detailed explanation of the incident and information involved, as well as a timeline of the incident (May 2025 through October 2025), and steps consumers can take to protect their personal information. 700Credit has provided a sample notice to dealers. 

The Credit Monitoring Services will include 12-24 months of identity and credit monitoring services at no cost to the consumer or dealer (duration will depend on state of residence and statutory requirements), and consumers must enroll themselves following provided instructions.

Again, this is subject to a dealers’ opportunity to opt-out of having such notice provided on your behalf. The Opt-Out Deadline is December 5, 2025 at 5:00 PM ET (contact: optout@700credit.com).

There are several issues dealers should note with regard to consumer notice.  
First, the sample notice from 700Credit does NOT name the dealership. While that may sound helpful, it is unclear if that fully meets the requirement under all state laws for the dealer (as the responsible entity under state law) to provide notice. It may, but dealers should seek assurances from 700Credit that it is adequate.  

Second, there are a number of states that have specific requirements that may or may not be met with a generic national notice. California, for example, has a specific format the notice must take. Again, this may be adequate, but dealers should seek assurances that it meets the requirements of your customers’ states.

Additional Critical Actions for Dealers
Beyond notice requirements, dealers should take the following independent actions:

1. Notify Your Insurance Carrier
If you have not already done so,  contact your insurance carrier immediately to report this incident. Provide details of the breach and potential exposure and document all communications with your insurer

2. Seek Indemnification for Breach Claims
Review your contract with 700Credit for indemnification provisions and consider sending a formal notice to 700Credit seeking indemnification for costs and liabilities arising from this breach. This is an important legal issue that dealers should discuss with their legal counsel. 

3. Appoint a Point of Contact for Inquiries
Designate a specific staff member to handle consumer inquiries about the breach, and media or press inquiries (if any). This person could also handle internal coordination of breach response, communication with 700Credit, and coordination with legal counsel.

This person should be trained on the facts of the incident, provided with approved talking points, authorized to escalate issues as needed, and the central point of contact for all breach-related matters.

4. Ensure Safeguards Rule Compliance
The full range of FTC Safeguards Rule requirements remains in effect. To ensure compliance with the Safeguards rule, you must ensure you:

(i) Have an updated Risk Assessment from 700Credit. For ComplyAuto Customers: Simply check your ComplyAuto account to verify you have the current risk assessment on file.

(ii) Have the required contract amendments in place. Verify you have the following agreements in place with 700Credit: A signed Data Processing Agreement (DPA), and the required contract amendments under applicable state privacy laws.

ComplyAuto Customers: ComplyAuto takes care of this documentation for you. You can confirm the presence of these required documents directly in your ComplyAuto account.

(iii) Update Your Information Security Program
You must ensure this incident is properly addressed in your dealership’s compliance documentation. For example, you may need to update your written Information Security Program to reflect: this breach incident and its causes; any lessons learned or process improvements; enhanced monitoring or oversight of 700Credit, or; any updated risk assessment findings.

You should also consider including this incident in your Annual Board Report (or equivalent management report) covering a description of the incident, the impact on your customers, any steps taken to address the incident, actions taken to prevent similar incidents, and similar concerns.

ComplyAuto Customers. We handle your vendor management program for you and can help you ensure you have the documents and contract amendments you need under the Safeguards Rule. In addition, as noted above, you have access to the Data Breach Wizard tool to help you evaluate your obligations under state law. At the appropriate time, we can assist in updating your Information Security Program and Board Report. Contact your ComplyAuto representative with any questions or concerns.

(iv) Document all communications with 700Credit regarding their commitments and maintain records of all actions taken in response to this incident. While it may not be strictly required, it is always good practice to document the steps you have taken.  It will also help in updating your Safeguards documentation.

For Non-ComplyAuto Dealers:

• Consider engaging legal counsel familiar with data breach notification requirements
• Ensure you understand the specific requirements in each state where you do business
• Contact ComplyAuto today to sign up with the dealership compliance experts

1.  This is not stated, but there is no indication that the data was encrypted. Moreover, the state data breach notice requirements generally only apply to encrypted data.  

Additional Information:
We are also hosting a webinar this upcoming Monday, December 8, to discuss the 700Credit Data Breach and what it means for dealers. Register today to secure your spot. 

Note: You should still register if you cannot attend. We will send the full recording to everyone who registers.

Webinar Details: 700Credit Data Breach Update: What Dealers Need to Know

• Monday, December 8, 2025, 2:30 - 3:30 PM ET
• REGISTER NOW

Author: Brad Miller, Co-CEO & Chief Legal Officer, ComplyAuto
The original article is available here.