Fitzgerald Auto Malls Data Breach: Customers Exposed, But Fitzgerald Delayed The Alert

Corporate Misconduct • Data Privacy • Consumer Betrayal

Fitzgerald Auto Malls Data Breach: Customers Exposed, But Fitzgerald Delayed The Alert

EvilCorporations.com • Data Breach Investigation • 10 min read

TL;DR

TL;DR

  • Fitzgerald Auto Malls, a multi-location car dealership chain, suffered a confirmed cybersecurity breach on or about February 4, 2024. An unauthorized party accessed the company’s internal network and may have stolen customer data stored on its servers.
  • Fitzgerald did not notify affected customers until April 24, 2025, a gap of approximately 14 months and 20 days between when the breach was detected and when warning letters landed in inboxes. The letter was sent through a third-party vendor, Cyberscout, a TransUnion company.
  • The company claims it spent that time conducting a “thorough manual review” to identify impacted data. They say the final determination that customer data was involved was only made on March 28, 2025, over 13 months after the initial detection.
  • The breach notification letter omits specific details that customers need. The types of personal information involved, the number of affected individuals, the enrollment URL for free credit monitoring, the activation code, the call center phone number, and the number of months of monitoring offered are all redacted or left blank in the copy of the notice reviewed for this story.
  • Fitzgerald is offering complimentary single-bureau credit monitoring through Cyberscout. That is one bureau, not all three. Meanwhile, your Social Security number, financial records, or other sensitive data may have been in the hands of criminals for over a year before you were told anything.
  • The notice includes state-specific legal rights sections for residents of Iowa, Maryland, Massachusetts, New Mexico, New York, North Carolina, Oregon, Rhode Island, and Washington D.C., suggesting the breach is geographically broad.

The timeline of what Fitzgerald knew and when is the backbone of this story. The 13-month gap between detection and final data determination is broken down precisely in The Legal Receipts section.

The Non-Financial Ledger

What It Feels Like To Be The Last To Know

Imagine this. You buy a car. You hand over everything: your name, your address, your Social Security number, your income, your employment history, your banking details. You trust the dealership with all of it because you have to. That is how buying a car works in America.

Now imagine that sometime in early February 2024, a stranger broke into that dealership’s digital filing cabinet and walked out with your file. Your whole file. And no one told you.

Spring 2024 came and went. You went about your life. Summer. Fall. A new year. You opened new accounts. You applied for things. You trusted your credit score. You assumed your identity was your own. Meanwhile, the company that took your data was quietly running “forensic investigations” and “manual reviews” behind closed doors. Their lawyers were involved. Their cybersecurity consultants were billing by the hour. They were figuring out what happened to your information while you had no idea any of this was occurring.

Then, on a Thursday morning in late April 2025, an email arrived. The sender address was not even a Fitzgerald domain. It came from a third-party vendor. The subject line said “Important Information Please Review Carefully.” That was the first time Fitzgerald told you. Over fourteen months later.

The notification letter is addressed to “Dear” and then nothing. The recipient name field is blank. The personal information types that were exposed are blank. The monitoring service URL is blank. The enrollment code you need is blank. The phone number to call if you have questions is blank. The number of months of monitoring you are owed is blank. The letter is a form with missing parts, sent to people whose information may already be in criminal hands, asking them to act fast on details the company did not bother to include.

This is the cost of trusting a corporation with your most sensitive data. You do not get protection. You get a form letter, a year too late, from a company you can barely reach, offering to monitor one credit bureau out of three. That is what your personal information is worth to Fitzgerald Auto Malls.

Timeline: From Breach to Notification — 14 Months of Silence ≈ 14 months, 20 days total ← 13+ months of “review” → Feb 4, 2024 Breach Detected Early 2024 External forensics team retained 2024 – Early 2025 “Manual review” of impacted data Mar 28, 2025 Fitzgerald confirms your data was hit Apr 24, 2025 You receive email notice
Legal Receipts

What Fitzgerald Actually Wrote — And What It Admits

The following quotes are pulled verbatim from Fitzgerald Auto Malls’ official breach notification letter, dated April 24, 2025, sent via Fitzgerald Auto Malls Incident Notice <FitzgeraldAutoMallsNotice@m.cyberscout.com>. Nothing has been invented or paraphrased.

“On or about February 4, 2024, Fitzgerald Auto Malls detected unauthorized access to our network as a result of a cybersecurity incident that resulted in the exposure of the data we maintain.”
  • The phrase “on or about” is a legal hedge. It tells you the company is not even committing to the exact date of their own breach.
  • “Exposure of the data we maintain” confirms the breach was not limited to a narrow slice of records. Every piece of data Fitzgerald maintained on its servers was potentially exposed.
  • The breach was detected on or around February 4, 2024. You did not receive this letter until April 24, 2025. That is approximately 445 days of silence.
“After extensive efforts to identify, review, and analyze the potentially impacted data, on March 28, 2025, we determined that the impacted files contained your personal information.”
  • Fitzgerald is stating plainly that it took from February 4, 2024, to March 28, 2025, over 13 full months, to determine that customer personal information was in the breached files. This is the company’s own accounting of its timeline.
  • Whether that duration reflects genuine complexity or a slow-walked corporate process designed to delay the disclosure deadline is not explained anywhere in the notice.
  • Many U.S. states require breach notification within 30, 45, or 60 days of discovering that personal information was affected. The March 28, 2025, determination date is the date Fitzgerald’s legal clock arguably started ticking under those laws.
“We have no evidence directly linking this incident to specific incidents of financial fraud or identity theft.”
  • This is a standard legal disclaimer companies include to limit their liability exposure. The absence of evidence is not evidence of absence. Criminals frequently acquire data and hold or sell it for months or years before using it.
  • This statement is placed directly before the offer of credit monitoring, which means the company knows the risk is real enough to pay for monitoring services but wants the record to show they said there is “no evidence” of harm.
  • With 14 months elapsed since the breach, if fraud has occurred, victims may have already been dealing with the fallout for over a year without knowing the cause.
“We are providing you with access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge.”
  • “Single Bureau” means Fitzgerald is monitoring your credit at one of the three major credit bureaus: Equifax, Experian, or TransUnion. Fraudulent activity at the other two bureaus will not generate an alert.
  • The notice does not specify which bureau. A creditor pulling your report through the unmonitored bureaus during this period would not trigger any notification to you at all.
  • Industry-standard breach remediation in high-severity cases typically includes three-bureau monitoring. Single-bureau monitoring is the cheapest available tier.
“The privacy and security of the personal information we maintain is of the utmost importance to us.”
  • This is the opening sentence of the notification letter. The breach was detected on February 4, 2024. The letter was sent April 24, 2025. The rhetorical gap between this claim and the documented timeline is the story in one sentence.
“After extensive efforts… on March 28, 2025, we determined that the impacted files contained your personal information.” Thirteen months after the break-in. Your data. Their timeline.
What Fitzgerald Claimed vs. What the Record Shows What Fitzgerald Claimed What The Record Shows
“Privacy and security of personal information is of the utmost importance to us.”
Breach detected Feb 4, 2024. Customers notified Apr 24, 2025. 14+ months elapsed.
“We immediately took steps to secure our network and mitigate against any additional harm.”
Customers were given no information, no interim guidance, and no temporary freeze recommendation during 14 months of “investigation.”
“We are providing you with access to Single Bureau Credit Monitoring… services at no charge.”
One bureau monitored out of three. Monitoring URL, code, phone number, and duration all left blank in the notice sent to customers.
“We conducted a thorough manual review of the data potentially contained on the impacted servers.”
That review took 13+ months. The specific types of personal data affected are redacted in the customer-facing notice, leaving victims unable to assess their own risk level.
Societal Impact

Who Gets Hurt and How

Public Health

Identity theft and financial fraud are not abstract inconveniences. The documented psychological and material consequences are severe and lasting.

  • Victims of identity theft report significantly elevated rates of anxiety, depression, and sleep disorders. The Federal Trade Commission has documented that victims spend hundreds of hours resolving fraudulent accounts, a process that can stretch across years and disrupt employment, housing applications, and medical billing.
  • Because the breach notice includes a section specifically on protecting medical information, there is a real possibility that health insurance data was among what was exposed. Medical identity theft can result in incorrect information being entered into a victim’s permanent medical record, leading to misdiagnosis, denial of insurance coverage, or fraudulent charges that damage credit for years.
  • The 14-month notification delay means that if any affected person’s medical data was misused during that window, they had no opportunity to request corrected records or alert their insurer during the critical period when fraudulent charges were being generated.
  • Low-income customers who bought cars through dealership financing arrangements may face particular vulnerability. For people already managing tight margins, a single fraudulent account or a credit score drop triggered by unauthorized inquiries can make the difference between securing housing and losing it.

Economic Inequality

Data breaches in the automotive finance sector disproportionately harm people with the least financial cushion to absorb the damage.

  • Auto dealerships collect some of the most comprehensive financial profiles anywhere in the consumer economy. To buy or finance a vehicle, customers disclose income, employment status, bank account information, Social Security numbers, and credit history. All of this was potentially on Fitzgerald’s compromised servers.
  • Wealthier customers can absorb the fallout of a fraudulent account. They have legal resources, multiple credit accounts that cushion a score drop, and savings to cover interim losses. Customers who financed a vehicle because they had no other option do not have these buffers.
  • The credit monitoring offer is single-bureau only, which is less useful for lower-income customers who may be applying for credit at institutions that pull different bureaus. The fraud can happen through an unmonitored bureau and Fitzgerald’s offer provides no protection in that scenario.
  • The 90-day enrollment window for the free credit monitoring service, combined with the blank enrollment URL and activation code in the notice, means that customers who receive an incomplete letter and cannot figure out how to enroll may lose access to even this minimal protection through no fault of their own.
  • The geographic spread of the breach, evidenced by state-specific legal notices for nine separate jurisdictions including Iowa, Maryland, Massachusetts, New Mexico, New York, North Carolina, Oregon, Rhode Island, and Washington D.C., suggests a large and geographically diverse victim population spanning multiple economic demographics.
The most comprehensive financial profile you will ever hand to a private company is the one you give the car dealer. Fitzgerald was holding all of it when their network was breached.
Who’s Involved: The Breach Notification Network Fitzgerald Auto Malls Breached party / Data holder Unknown Attacker Unauthorized network access External Forensics Firm Unnamed; hired by Fitzgerald Cyberscout / TransUnion Sends notice; delivers monitoring Affected Customers Notified 14+ months after breach breached hired contracted sends email notice 14-month delay
The Cost of a Life

What Fitzgerald’s Response Is Actually Worth

445

Days elapsed between the breach Fitzgerald detected and the day a customer received their notification email.

That is one year, two months, and approximately 20 days during which an unknown criminal may have held your name, your financial data, and potentially your Social Security number, while Fitzgerald completed its review process in silence.

1 / 3

Credit bureaus being monitored under the free service Fitzgerald is offering as its primary remedy.

Equifax, Experian, and TransUnion all maintain separate files on you. A fraudulent inquiry or new account opened through either of the two unmonitored bureaus will not trigger any alert under Fitzgerald’s offer.

90

Days customers have to enroll in the monitoring service. The enrollment URL and activation code were blank in the notification letter reviewed for this investigation.

Customers receiving an incomplete notice must contact the company directly within this window or lose the monitoring benefit entirely, on top of already being 14 months behind in protecting themselves.

What Now?

What You Can Actually Do Right Now

Fitzgerald has bought itself legal cover. You need to build your own protection immediately, regardless of whether the company’s monitoring service is set up properly.

Regulatory Bodies to Contact

  • Federal Trade Commission (FTC): File an identity theft report at ftc.gov/idtheft or call 1-877-IDTHEFT. The FTC’s Identity Theft Data Clearinghouse forwards your report to law enforcement. Your report builds the public record that forces regulators to take this breach seriously.
  • Your State Attorney General’s Office: The Fitzgerald notice specifically references Iowa, Maryland, Massachusetts, New Mexico, New York, North Carolina, Oregon, Rhode Island, and Washington D.C. as states where residents have additional rights. If you live in any of these states, file a complaint with your state AG’s consumer protection division. Contact details for each are in the source document linked below.
  • Consumer Financial Protection Bureau (CFPB): If fraudulent financial accounts appear in your name connected to this breach, file a complaint at consumerfinance.gov/complaint. The CFPB has enforcement power over banks, credit reporting agencies, and lenders involved in fraud remediation.
  • Your State’s Division of Motor Vehicles or Financial Regulation: Auto dealerships are licensed at the state level. A sustained pattern of data mishandling is grounds for a licensing complaint, which creates a public record separate from civil litigation.

Immediate Self-Protection Steps

  • Place a security freeze at all three bureaus now, before you enroll in the monitoring service. Freezes are free. Equifax: (888) 298-0045. Experian: (888) 397-3742. TransUnion: (888) 916-8800. You can lift the freeze temporarily to sign up for monitoring, then refreeze immediately.
  • Pull your free annual credit reports from all three bureaus at annualcreditreport.com or call 1-877-322-8228. Look for accounts you did not open, inquiries you did not authorize, and addresses you do not recognize. Print or save the reports.
  • Place a one-year fraud alert at any one of the three major bureaus (Equifax, Experian, or TransUnion). That bureau is required to notify the other two. A fraud alert requires creditors to verify your identity before opening any new account in your name.
  • If you believe your medical information may have been compromised (the notice includes guidance on medical identity theft), request a year-to-date benefits report from your health insurer and ask your providers for copies of any records generated since February 4, 2024.
  • Contact Fitzgerald Auto Malls directly to demand the complete notification letter with all fields filled in: the specific data types affected, the monitoring enrollment URL, your activation code, the number of months of monitoring, and the call center phone number.
  • Document everything: Save the breach notification email, record dates and times of every call you make, and keep copies of your credit reports at regular intervals. If litigation or regulatory action follows, your documentation is evidence.

Mutual Aid and Collective Action

  • Share this article with anyone you know who has bought a car from a Fitzgerald Auto Malls location. Many people receive breach notices and do not understand what they mean or what action to take. Information sharing is the fastest form of mutual aid.
  • Connect with local consumer protection organizations in your area. Non-profit credit counselors can help you navigate the freeze and monitoring process for free. The National Foundation for Credit Counseling (nfcc.org) is a starting point.
  • Talk to a consumer rights attorney about whether the 14-month notification delay violates your state’s breach notification law. Many consumer attorneys take data breach cases on contingency, meaning no upfront cost to you.
  • File a complaint with your state AG even if you have not yet seen fraudulent activity. Regulatory action thresholds are hit by volume of complaints. Every filing matters for building the political will to hold Fitzgerald accountable.

The source document for this investigation is attached below.

fitzgerald-auto-malls-data-breach-notice-2025Download

Explore by category

01

Antitrust

Monopolies and anti-competition tactics used to crush rivals.

View Cases →
02

Product Safety Violations

When companies sell dangerous goods, consumers pay the price.

View Cases →
03

Environmental Violations

Pollution, ecological collapse, and unchecked greed.

View Cases →
04

Labor Exploitation

Wage theft, worker abuse, and unsafe conditions.

View Cases →
05

Data Breaches & Privacy

Misuse and mishandling of personal information.

View Cases →
06

Financial Fraud & Corruption

Lies, scams, and executive impunity that distort markets.

View Cases →
07

Intellectual Property

IP theft that punishes originality and rewards copying.

View Cases →
08

Misleading Marketing

False claims that waste money and bury critical safety info.

View Cases →
Post Views: 106

Related posts:

Apple Card Goldman Sachs CFPBApple and Goldman Sachs’ $89 Million Broken Promise to Customers Marriott_Logo_Evil_CorporationsHow Marriott’s oversight lapses and deregulation fueled one of the largest data scandals in hotel history. new england patriots logo evil corporationsNew England Patriots just got sued for allegedly spying on its fans. GHC-SCW group health cooperative of south central wisconsinHow Group Health Cooperative Failed Its Patients in a Massive Data Breach
Aleeia
Aleeia

I'm Aleeia, the creator of this website.

I have 6+ years of experience as an independent researcher covering corporate misconduct, sourced from legal documents, regulatory filings, and professional legal databases.

My background includes a Supply Chain Management degree from Michigan State University's Eli Broad College of Business, and years working inside the industries I now cover.

Every post on this site was either written or personally reviewed and edited by me before publication.

Learn more about my research standards and editorial process by visiting my About page

Articles: 1792