If you’ve applied for financing at a car dealership, there’s a good chance your personal information traveled beyond the showroom.
In October, Michigan-based credit reporting and identity verification company 700Credit disclosed a data breach that affected at least 5.6 million people. According to Michigan attorney general Dana Nessel, the stolen data included names, addresses, dates of birth, and Social Security numbers. The information was collected from car dealerships between May and October 2025.
What makes this breach unsettling is how affected individuals never chose to do business with 700Credit. Many likely never knew it existed.
The hidden risk of data middlemen
700Credit operates as a middleman. It provides credit checks and identity verification services to auto dealerships across the United States.
That data is passed to third-party companies like 700Credit. Each handoff creates another place where sensitive information is stored, copied, and vulnerable to hackers. Consumers have no way of keeping track of how their data is handled.
They accumulate enormous amounts of sensitive information without a direct relationship with consumers. When something goes wrong, there’s no accountability. Meanwhile, consumers are left to deal with the fallout.
The perfect storm for identity theft
Not all data breaches carry the same level of danger. This one involves the information fraudsters look for.
Names, addresses, dates of birth, and Social Security numbers form the foundation of a person’s identity. Unlike passwords, this information can’t be changed. Once exposed, it can be misused for years to open fraudulent accounts, apply for loans, or commit tax fraud.
This is what turns the 700Credit breach from an inconvenience into a long-term risk. Credit monitoring can alert people to some suspicious activity, but it doesn’t undo the exposure of core identity data.
The two-month notification gap
What’s troubling is how long it took for affected individuals to be notified.
The breach occurred in October. It’s now mid-December, and 700Credit is starting to send letters by mail to people whose information was compromised. Why did it take roughly two months for victims to be informed?
During that gap, consumers had no reason to place fraud alerts, freeze their credit, or watch for signs of identity theft. Any misuse of the stolen data during that period would have happened while victims were completely unaware.
This kind of delay is common in breach disclosures, but that doesn’t make it acceptable.
What this breach reveals about the system
This breach is yet another example of why you should never let a company act as the middleman for your personal data.
Third-party processors play a critical role in industries like auto financing, but they fail to protect the sensitive data they collect. Consumers can’t opt-out of these systems on their own. That makes transparency, and strong oversight essential, not optional. Until those expectations change, breaches like this will continue to happen.
