As motor vehicle retail becomes increasingly digital and interconnected, dealerships are handling more sensitive personal information across more systems and partners – and that is turning them into attractive targets for both cybercriminals and opportunistic social engineers.
In a panel discussion at last week’s 2026 F&I Virtual Summit, the message was consistent: compliance with the Protection of Personal Information Act (POPIA) and cyber resilience are no longer box-ticking exercises. They are operational fundamentals – and, done well, a foundation for customer trust.
The discussion featured Dr Jabu Mtsweni, head of cyber and information security at the Council for Scientific and Industrial Research; Nthabiseng Miller, executive: legal and compliance at The Innovation Group; and Inge Labuschagne, director at Labuschagne & Mostert Inc.
Cyber threats now facing dealerships
Mtsweni identified several prominent cybersecurity threats affecting dealerships. He began with business email compromise, describing it as the easiest form of attack in this environment. Dealerships rely heavily on email communication with customers, particularly to facilitate payments, and criminals exploit that by intercepting emails, altering invoices, and diverting deposits or settlements.
Ransomware was another major threat. In these cases, criminals lock dealership systems and demand a ransom. That can be devastating because, without functioning systems, dealerships cannot operate or serve clients.
Mtsweni also pointed to information leakage by staff. Salespeople, who are often not cyber savvy, may share copies of Identity Documents, bank statements, and similar records in ways that allow the information to fall into the wrong hands. Those incidents can become data breaches that criminals use to target customers.
Labuschagne added that not all threats are purely digital. She described impersonation scams in which individuals posing as South African Police Service or South African Revenue Service officials arrive at dealerships and ask for access to files and documents. Frontline staff are often not trained to verify whether those individuals are genuinely authorised or whether they may lawfully access the information.
POPIA, contracts, and data-sharing risk
The panel turned to the legal risks of handling customer data across multiple partners and platforms.
Miller said the main legal risk is not having the right controls in place. Dealerships need to understand the conditions under which they process the information they hold, consider whether they need to retain all of it and ensure that unnecessary information is destroyed when it is no longer required.
She also emphasised the importance of proper contractual safeguards when data is shared with other dealers or third parties. Contracts should regulate how information is processed and used and should include audit or review rights so that a dealership can check compliance.
Labuschagne said many dealerships operate with numerous systems and service providers but lack the corresponding contractual controls. A dealership may have dealer management systems, CRM tools, and lead-handling platforms running at the same time, yet data can still flow out of the business without the necessary written agreements in place.
Where third parties process data on behalf of a dealership, she explained, POPIA requires a written contract setting out what they can and cannot do with the data, what security measures they have in place, what happens if there is a breach, how quickly they must notify the dealership, whether they may communicate directly with customers, and whether the dealership has the right to audit their systems.
She distinguished that from relationships with banks and insurance providers, which are responsible parties in their own right. In those cases, the dealership does not instruct the bank or insurer to process data on its behalf. Rather, it shares information that those entities are legally entitled to receive to finance the vehicle or provide insurance.
Labuschagne said dealerships need appropriate data-sharing agreements with those parties too, setting out how data will be shared, which methods will be used, and how customers will be informed. In practice, she said, customers are often not properly told that they will receive calls from specific finance institutions or insurance providers, and unexpected calls can trigger complaints and regulatory scrutiny.
Consent and common points of failure
The panel devoted substantial attention to POPIA compliance, particularly in relation to consent and record-keeping.
Miller said contracts should contain POPIA-specific clauses dealing with how data is to be processed and what security measures must be implemented. She also recommended indemnities and warranties to cover regulatory fines, damages or reputational harm, along with audit rights that allow for ongoing monitoring.
When asked where organisations commonly fall short in managing consent records, Miller said the problem is usually that they do not properly document or record consent. From a legal perspective, the issue is not merely whether consent was obtained, but whether there is evidence to prove it. Where services are outsourced or third parties sell products on behalf of a dealership, the dealership should be able to retrieve proof of consent, whether that is on a form, in a recording, or through another traceable mechanism.
Labuschagne approached the issue from the perspective of the legal basis for processing. Referring to section 11 of POPIA, she noted that consent is not the only ground for lawful processing. Other grounds include the performance of a contract and legal obligations under other legislation. She said that if a dealership does choose to rely on consent, it must remember that consent can be withdrawn.
She also emphasised that where data is sent elsewhere – for example, for comprehensive insurance or tracking devices – consent is non-negotiable, and written proof matters. In audits, she said, a recurring question is simple: if the dealership is relying on consent, where is the proof? If it is not documented and saved on the relevant systems, it is unlikely to satisfy the regulator.
Labuschagne added that many dealerships have no clear plan for when consent is obtained in the customer journey – whether at the first visit, during a test drive, or only once the vehicle leaves the showroom. Without that plan, she said, consent falls through the cracks.
Human error, training, and access control
Mtsweni said about 80% of data breaches begin with human error. He described users as the weakest link and said organisations often focus too heavily on technology while neglecting the human element.
He used the image of a three-legged stool – technology, people, and processes – to illustrate that if any one of the three is weak, the overall security posture is compromised. He recommended standard operating procedures, clear policies, appropriate technology, and practical attention to both employees and customers.
Labuschagne made a similar point in relation to role-based access and training. Dealerships can have strong governance documents and sound IT security, but if staff are ignorant about how they handle information, the dealership remains at risk. Without role-based access that limits information to those who need to know, and without proper training, she said, the best systems in the world will not help.
Dealerships should train staff regularly, conduct spot checks, and test whether internal processes work in practice. She described how she carries out spot checks by going to reception, introducing herself as someone mandated to look after POPIA compliance, and asking for access to deal files. If staff do not ask for proof of her mandate or follow the process, that indicates a control failure.
Smaller dealerships and shared resources
The panel also considered how smaller dealerships with limited resources can strengthen their cybersecurity posture.
Mtsweni acknowledged that resources will always be an issue. A bank and a small dealership do not have the same financial capacity. He pointed to shared services, including virtual security operations centres, as a way for smaller organisations to pool resources, share licence costs and access solutions they could not afford individually.
He also underlined the value of information-sharing communities. He said that networks and communities of practice can help dealerships share information about scams and trends, allowing them to prevent incidents collectively. Not everything in security requires direct financial expenditure, he said; collaboration also has real value.
Breaches, notification duties, and response
Labuschagne said a security compromise is broader than a cyberattack or a malicious link. It includes any situation in which someone has access to information they should not have had, including internal access to HR or customer information without authorisation.
She said that once there are reasonable grounds to suspect that a security compromise has occurred, the organisation must inform the Information Regulator and the affected data subjects, investigate what happened, and explain what has been done to rectify the issue and prevent it happening again.
Mtsweni agreed and added that many organisations take almost 200 days to discover that a breach has occurred, which suggests that they are not monitoring their environments properly.
Once a breach is identified, he said, containment is critical to stop it becoming larger. Customers should be informed so they can change passwords or take other steps to reduce harm, and the incident should also be reported to authorities such as the police.
He said organisations often respond to a breach while it is in the news and then do nothing afterwards, which leaves them exposed to repeat incidents.
The key is to learn from incidents and implement controls that prevent recurrence.
Accountability across the chain
Miller said accountability begins at the top. In larger organisations, the board must understand the requirements, how the business operates, how data moves, how it is protected, and who has access to it. But she emphasised that ultimate accountability and responsibility lie with each person in the organisation who sees, processes, or moves data.
She said organisations need clear governance structures, mechanisms to understand the flow, processing and destruction of data, and access management tools that help staff take responsibility for the information they handle.
Labuschagne linked this back to the human factor, reiterating that governance documents and IT controls will not be enough if people do not understand their duties or if access is not properly restricted.
Mtsweni added that organisations should not only have plans in place but should also test them. He compared this with fire drills and workplace safety exercises: businesses need to know in advance who will be contacted during a breach, what happens if systems are shut down and how response procedures work after hours.
AI and future risks
Labuschagne noted that AI is increasingly used in dealerships, particularly in marketing and automated processes. Referring to section 71 of POPIA, she said that where a decision with a significant effect on a client – such as assessing creditworthiness or deciding whether a sale will proceed – is based purely on automated decision-making, the client has the right to make representations or provide input.
Mtsweni said AI-powered and automated attacks are also becoming more common. Attackers may already have collected data from multiple sources or embedded malware in dealership systems by the time a deal is being made. He also warned about information leakage through tools such as ChatGPT and other platforms, where staff may upload sensitive information in the interest of speed.
He pointed to developments in digital identity, including a shift away from usernames and passwords towards password-less authentication methods such as tokens. But, he said, many organisations still fail on the basics. The sector will struggle with future threats unless it first masters the fundamentals.
What a future-ready strategy looks like
So, what does a mature and future-ready data compliance strategy looks like for modern dealerships?
Labuschagne said POPIA, cybersecurity requirements, and the Cybercrimes Act are now part of the operating environment and should be embraced rather than treated as obstacles. She argued that if customers feel their data is secure, they will buy from a dealership, and that transparency about how data is used and stored helps build trust and protect reputation.
She said a successful strategy starts with understanding what data is collected, where it goes, with whom it is shared, and how long it is kept, and then building training around the actual business process. In her view, POPIA compliance does not start with the F&I function alone; it should be built into the business from the beginning of the customer relationship.
Miller said organisations should also align POPIA with other frameworks by putting proper governance and reporting structures in place, ensuring that teams understand cybersecurity laws and international regimes such as GDPR, and monitoring developments in AI regulation. She highlighted the importance of data minimisation, removing data that is no longer used, and creating clear privacy notices, as well as safeguards such as encryption, authentication, and logical access management.
Mtsweni emphasised that although AI and advanced threats matter, the sector must first get the basics right. Without strong foundations, he suggested, dealerships will continue to face avoidable risks even as the threat landscape becomes more sophisticated.
For dealerships, the message from the panel was clear: cybersecurity and POPIA compliance are not separate technical tasks, but core business disciplines tied directly to customer trust, operational resilience, and reputation.
