Cyberattack on CDK halts auto industry progress, with car dealerships reporting extensive repercussions
CDK Global Cyberattack Continues to Impact Car Dealerships
A cyberattack on CDK Global, a significant software-as-a-service vendor for around 15,000 car dealerships in North America, has caused widespread disruption to dealership operations since mid-June.
The attack, which remains uncommented on by CDK Global, has affected various business functions such as sales, customer relationship management, inventory, and accounting for many dealerships. As a result, dealers have had to deal with the impacts of the cyberattack on CDK's hosted dealer management system while remaining open for business.
Some of the largest car dealerships in North America, including Autonation, Group 1 Automotive, Lithia Motors, Sonic Automotive, and Penske Automotive Group, have disclosed potential material impacts due to the cyberattack on CDK Global. These disclosures, made to the Securities and Exchange Commission (SEC), indicate that the dealers are using workarounds to minimize disruption caused by the outage.
According to Group 1 Automotive, CDK expects to restore its dealer management system within several days, not weeks. However, the ongoing impact on the business operations of the car dealers is likely to continue until the relevant systems are fully restored.
The cyberattack on CDK Global has highlighted a persistent problem in cybersecurity, particularly for vendors with a strong market share. The attack has also underlined vulnerabilities in dealership IT infrastructure, particularly due to legacy systems combined with cloud apps, large employee bases prone to insider risks, and supply chain vulnerabilities from third-party integrations like financing and DMV systems.
The attack has catalyzed stronger security measures and compliance focus within the auto dealership industry. Many dealerships are now investing in cybersecurity frameworks and employee training to mitigate phishing and ransomware risks. There is also an increased focus on rigorous audits and adherence to compliance standards to maintain manufacturer and financial institution relationships.
The event has also led to a possible shift away from over-reliance on single providers like CDK, with dealerships seeking diversified software or backup solutions to avoid total operational shutdowns. Despite these efforts, the ongoing risk of financial and reputational damage in case of future cyber incidents necessitates stronger risk management.
In the past year, the auto dealership industry has seen a sharp increase in cybersecurity incidents, with one-third of U.S. dealerships experiencing cyberattacks in 2024, compared to 295 in 2023. This underlines a growing threat landscape for the auto retail sector.
CDK Global was acquired by private equity firm Brookfield Business Partners in a deal valued at $8.3 billion in April 2022. The company was not immediately available to comment on the cyberattack.
Financial losses and legal consequences
Collectively, dealers lost around $605 million within two weeks of the outage, with retail unit sales down by an estimated 7.2% in June 2024 compared to the previous year. CDK’s parent company and affected dealerships’ share prices also dropped significantly after the attack.
At least eight lawsuits alleging negligence have been filed against CDK by dealerships impacted by the outage. The car dealers are using similar language in their SEC filings to disclose potential impacts from the cyberattack on CDK Global.
Looking forward
The CDK Global cyberattack has significantly disrupted dealership operations, inflicted heavy financial losses, and exposed supply chain cybersecurity vulnerabilities. The event has catalyzed stronger security measures and compliance focus within the auto dealership industry, though risks remain elevated given the expanded threat environment in 2024 and beyond.
- The cyberattack on CDK Global, a software-as-a-service provider for numerous car dealerships, has resulted in numerous financial losses for the affected dealerships, with one industry report estimating a collective loss of approximately $605 million within two weeks of the outage.
- The cyberattack on CDK Global, a significant vendor in the automotive industry, has brought to light the ongoing issues in cybersecurity, particularly concerning dealership IT infrastructure, among other industries such as finance and transportation.
- In response to the CDK Global cyberattack, the auto dealership industry is focusing on strengthening cybersecurity frameworks, employee training, and compliance standards to enhance overall risk management and maintain manufacturer and financial institution relationships.
