In the middle of July, a small dealer in Oregon started to get a lot of attention. I’m fairly certain their website visitors spiked and at least one VDP started to get massive traffic. You see, somehow a 2001 Mercedes-Benz got transformed into a picture of a naked woman. Yes, you heard that right. Word started spreading amongst the automotive circles on social media AND, more importantly, to the public through a very popular automotive blog, Jalopnik. We (being my friends in the automotive community) found it quite amusing. The author of Jalopnik reports that he called the dealership and the faux pas was blamed on… wait for it… a computer virus. This “naked woman” VDP was appearing all across the Internet – the dealer’s website, Cars.com, and Auto.com being amongst them. I bet that dealer got more phone calls, leads and VDP views on this 2001 Mercedes than any vehicle it has ever had in its history.
The problem didn’t stay there, however. Once I verified this on their website and Cars.com, I started researching to see exactly how widespread this was. That vehicle (and picture) was everywhere. Not only that but once I SAW the picture, I couldn’t UNSEE it. Yes, the remarketing magic kicked in. All of a sudden, I had a naked woman stalking me on the Internet.
Anyone who knows the path of data distribution in the car industry knows that this didn’t originate with Cars.com. If you don’t know, this is basically the flow:
Dealer/3rd Party Photo Service -> Data Distribution Company -> 3rd Party websites
Having worked at HomeNet for a while, I got fairly familiar with this process. Some dealers would argue that “data distribution company” should be replaced with “website provider” but, for the most part, website providers don’t actually do the data distribution. In most cases, they subcontract out the service to companies like HomeNet. As a dealer, you may or may not be aware of this as your website provider may include data distribution in their service. I cannot count the times that I called dealers whose data feed we already had to try and sell them services and they had no clue that we (HomeNet) were distributing their data already.
How could something like this happen? Well, there are several possibilities so let’s get started.
- Computer virus/Hacked – I don’t buy this one. This would have to be a pretty intricate virus with the ability to identify a picture of a naked woman, log into the dealer’s account with their data company, choose a vehicle and upload the picture into the system. When I looked at their website, it was only this single VDP that had the explicit picture. If it were a computer virus, chances are more than likely that it would have replaced EVERY picture for all of the vehicles. Not just one. Viruses are malicious. They want to do damage. The same rationale goes for a hacker. Replacing one picture isn’t going to make some guy so happy he spits out his Twinkie while Mountain Dew flies out of his nose. (I know, total stereotype. It was simply an effort to be amusing.)
- Dealer Accident – This is certainly a possibility. In the past, dealers have been notoriously vocal about how difficult and time-consuming it was to take and upload pictures. This motivated the industry into creating software that made it easier. It’s possible that whomever was in charge of uploading pictures at the dealership happened to have this naked girl on their desktop or in the folder with the vehicle pictures and it accidentally got uploaded. Knowing the mechanics of retrieving pictures from a camera, then manually selecting the pictures that go each which vehicle while uploading them makes this scenario also unlikely. There was only a single picture for this vehicle so you can’t say that it was mixed in with 30+ other pictures of the same vehicle.
- Third Party Photo Service – This, again, is pretty unlikely. Photo services depend on their clients for revenue. For the most part, they also use technology that makes taking pictures and attributing them to vehicles pretty efficient. Scan a Vin. Take a bunch of pictures. Repeat. Upload. It’s pretty automatic. Seeing as this explicit photo wasn’t a picture of a picture, the likelihood that it was already on the camera is slim-to-none. The exception here would be smaller photo services that don’t use this sort of technology. In those cases, you would refer back to possibility #2 above.
- Cars.com – Forget about it. Do you really think Cars.com has the time to upload photos for dealers? They simply take a feed that originated as a combination of a DMS vehicle record and corresponding pictures and a listing is created automatically. Obviously there isn’t a censor watching on their end. They probably don’t feel the need for one. It’s certainly not scalable for them to view the millions of inventory pictures they get daily from dealers across the country.
- On Purpose – This is the most likely scenario. Someone was either disgruntled or wanted a little laugh. Based on the results of widespread distribution though, this had to happen at or before the data distribution link in the chain of events for it to get disseminated as much as it was. Unless the dealer used a small photo service that they just cancelled, the likelihood that it was a vendor is small. People have to pay the rent, you know. The simplest solution is that someone at the dealership, that had the log-in to upload a picture, is the culprit. As they say, the simplest answer is usually the correct one. Maybe they were upset. Maybe it was a prank. We’ll probably never know.
Dealers are way too lax with their vital services and log-ins. Most CRMs have unique log-ins as they need to track activity and tie it to specific employees. The same is true with MOST log-ins to a DMS. Exceptions exist, however. There are many instances of shared or single passwords being used by dealers to access services. How about social media accounts? Imagine that showing up on your Facebook page, Twitter, Instagram, etc. A lot worse can happen to a dealer than the scenario in this article.
Vendors aren’t immune to this either. Read the comments on that Jalopnik article. Cars.com got some unwanted publicity as well. Consumers don’t know the mechanics involved. They simply blamed Cars.com and had a good laugh. That picture/VDP was on their (and other) websites for HOURS. I reached out to them via Twitter. While they wouldn’t get specific with me (although I’m sure they know exactly where they got the feed from) they did deny responsibility tweeting that the image “originated from a 3rd party site.”
The point of this article isn’t to cast blame. I’m certainly not Sherlock Holmes. I’m simply using common sense. As dealers, your website and VDPs are your virtual dealership. Unless you would place a naked girl in the middle of your lot to bring in traffic, you probably don’t want this happening to you. (Although it would probably work better than a giant inflatable gorilla or wavy tube guy. Just saying.) You should treat all of your services as if you were in the military. Log-ins and passwords (especially administrator-level ones) should be shared on a “need to know” basis. In every possible case, there should be levels of access for individual users. This way, you can control who can access what, what they can do once there, and, if something goes wrong, hold someone accountable.
Dealers also need to know, and control, exactly where their inventory is going. Most dealers get sold on the fact that there inventory will be on a gazillion websites and their eyes light up like a child seeing his or her presents under the tree on Christmas morning. Dealers should know not only whom THEY are sending their inventory to but also to whom THOSE people may be sending it to as well.
While this was an amusing venture that didn’t last a terribly long time, it’s a perfect example of Murphy’s Law – “If anything can go wrong, it will.”
Data security is something that’s becoming more prominent in the eyes of consumers. If someone can upload a naked picture of a woman and get that on hundreds of websites in a minute, imagine what someone who REALLY wants to get revenge or create havoc can do with your DMS database, social media accounts, CRM, customer information (including socials, DOBs, etc)…and guess who would be responsible…