Last week's ransomware attack on software as a service (SaaS) provider CDK Global has had a ripple effect on its customers, as multiple car dealerships serving thousands of locations report disruptions in their filings with the U.S. Securities and Exchange Commission. The CDK ransomware attack has paralyzed thousands of car dealerships across North America, disrupting operations for some of the largest automotive retailers. The attack that began last Tuesday has impacted operations of major players such as Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske, Sonic Automotive, and the number is expected to swell even more in coming days.

Systems Shut Down After Attack

CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.

How CDK Global Cyberattack Impacts Customers

Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.

CDK Customers Move to Manual Methods

Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

CDK May Pay Ransom

Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.

CDK Global, a provider of software solutions to auto dealerships across the United States, has fallen victim to a significant cyberattack. This CDK Global cyberattack has forced the company to temporarily shut down most of its systems, effectively bringing sales operations at approximately 15,000 car dealerships to a standstill. The cyberattack on CDK Global has had a profound impact on major clients of CDK Global, including General Motors dealerships, Group 1 Automotive, and Holman, which operates dealerships across eight U.S. states. These dealerships rely heavily on CDK's software to manage their daily operations, from sales transactions to inventory management. "We are actively investigating a cyber incident. Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible", a CDK spokesperson told CBS News. According to the news reports, CDK reported that they had restored some of their systems after conducting extensive tests and consulting with third-party experts. "With the work done so far, our core dealer management system and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications and will provide updates as we bring those applications back online," CDK stated in a communication to CBS MoneyWatch. CDK Global’s dealer management system (DMS) serves as a central hub that allows dealerships to monitor their operations from a single interface. Their retail tools enable dealerships to conduct transactions both online and in showrooms. These tools are essential for managing payroll, inventory, and various office operations. CDK also prides itself on offering robust cybersecurity solutions, as stated on its website: "CDK Cybersecurity Solutions provide a three-tiered cybersecurity strategy to prevent, protect, and respond to cyberattacks so you can defend your dealership.

Dealerships' Response to the CDK Global Cyberattack

The sudden outage has caused widespread disruption among car dealerships. Many have been forced to find creative solutions to continue their operations. Dealership employees took to Reddit to discuss the challenges they were facing. They reported relying on spreadsheets and sticky notes to handle small parts sales and repairs, while larger transactions were effectively halted. One employee questioned others on Reddit, asking, "How many of you are standing around because your whole shop runs on CDK?" Responses from users in Wisconsin and Colorado confirmed that their dealership systems were offline, causing significant operational delays. The CDK Global Cyberattack has left many employees with little to do, with some dealerships sending staff home due to the inability to conduct normal business operations. "We are almost to that point… no parts, no ROs, no times… just dead vehicles with nothing to show for them or parts to fix them," lamented one dealership employee on Reddit. Another employee shared, "Excel spreadsheets and post-it notes for any parts we're handing out. Any big jobs are not happening," highlighting the extent to which the disruption has impacted their workflow.

Potential Ransomware Attack

While CDK Global has not released an official statement on the nature of the cyberattack, rumors and reports suggest that the company may have suffered a ransomware attack that also impacted its backups.  If it indeed was a ransomware attack, the outages could persist for several days, potentially stretching into the next week or longer. The Cyber Express Team tried to reach out to CDK Global to get an official statement and know more details about the cyberattack, however, as of writing this news report no response has been received.