It appears that it was due to a laid off employee which is where quite a bit of malicious activity occurs. Passwords should have been changed. I can understand the company wanting to be able to brick the car for lack of payments, makes sense, no dangers like repo'ing. I would be more alarmed if someone not previously associated with the company was able to accomplish the same task.
I wonder what this will do to sales at the 4 dealerships