In a significant blow to the auto industry, CDK Global, a software provider serving nearly 15,000 car dealerships across North America, is grappling with the aftermath of two consecutive cyberattacks that struck on June 19. Affected dealerships have been crippled, leading to widespread disruptions in operations and sparking a flurry of lawsuits.
The cyberattacks hit CDK’s dealer management systems, forcing dealerships to find alternative means to continue their business activities. “Customers are coming in, we’re selling cars, but we can’t book the deals, can’t finance the deals or get them to the banks. Which means we cannot fund the cars or pay off the cars,” one dealer lamented in a lawsuit.
Several lawsuits, including potential class actions, have been filed against CDK. Tucson resident Omar Aviles, an employee of Asbury Automotive Group, filed a proposed class-action suit, alleging CDK failed to protect the “litany of highly sensitive personal identifiable information” it had stored about former and current clients and their customers and employees. This data includes Social Security numbers, employment histories, driver’s license information, and financial account details. The lawsuits accuse CDK of having “no effective means to prevent, detect, stop or mitigate breaches,” resulting in severe anxiety among employees and customers alike.
In response to the attacks, CDK was compelled to shut down its systems early in the morning of June 19. However, another “cyber incident” occurred later that evening, compounding the damage. The following weeks saw a scramble to restore services, with a “small initial test group of dealers” regaining access roughly a week later. In a memo to dealers, CDK stated it would not be able to fully restore systems access before June 30.
As dealerships struggled with operational setbacks, commission-based salespeople experienced financial losses and emotional distress. The cyberattack’s impact stretched beyond dealerships, affecting individuals reliant on the seamless operation of these systems. Florida-based Formula Sports Cars and Prestige Motor Car Imports, along with Georgia-based Bill Holt Chevrolet, have filed lawsuits alleging negligence and unjust enrichment by CDK.
CDK’s website touts its cybersecurity capabilities, boasting a “three-tiered cybersecurity strategy to prevent, protect and respond to cyberattacks.” Yet, lawsuits claim that the company’s cybersecurity practices were grossly inadequate. “CDK has failed to uphold its promises and responsibilities that it made throughout the course of its marketing campaigns making users feel at ease,” one suit contends.
The distress felt by those impacted is palpable. “It’s a disaster,” remarked a dealer in one of the lawsuits, describing how the attacks disrupted their business. Some major dealerships, such as AutoNation, Lithia Motors, and Sonic Motors, were forced to resort to manual operations, lacking access to CDK’s suite of services like e-signing and appointment scheduling tools.
CDK is working with law enforcement and third-party experts to investigate the breaches. The attacks have been attributed to the BlackSuit ransomware gang, known for demanding multimillion-dollar ransoms. Bloomberg and Recorded Future ransomware analyst Allan Liska identified BlackSuit as the perpetrators behind the June 19 cyberattacks. BlackSuit recently published stolen files from a Kansas police department after it refused to pay their ransom demands.
The class-action lawsuits are not just seeking monetary damages but also demanding that CDK enhance its cybersecurity measures and purge all personally identifiable information related to the plaintiffs. Yuriy Loginov, another plaintiff, claimed the cyberattacks have put him at “a current, imminent, and ongoing risk of fraud and identity theft” due to CDK’s “negligent conduct.” Loginov is seeking data monitoring services, reimbursement for incurred costs, and other financial relief.
The financial ramifications for CDK’s clients are significant. Analysts from J.P. Morgan predict a 10% drop in second-quarter earnings for the six largest public U.S. dealers impacted by the cyberattacks. Penske Automotive Group, which uses CDK’s systems for its Premier Truck business, has implemented protective measures to operate its 48 locations in the U.S. and Canada.
CDK’s CEO, Brian MacDonald, addressed the situation in a statement, expressing the company’s commitment to resolving the issue. “Personally, I have spoken to and continue to communicate with many dealers, OEMs, and partners directly,” MacDonald told Automotive News. Meanwhile, smaller dealerships continue to navigate the challenging landscape left in the wake of the cyberattacks, unsure when their operations will return to normal.
As CDK endeavors to recover from these cyberattacks, the broader implications for the auto industry and its cyber defenses remain to be seen.
News Sources
- CDK Global faces multiple lawsuits from dealerships crippled by cyberattack
- CDK Global hit with at least eight lawsuits over car dealer disruptions
- CDK Global sued for exposing personal data after cyberattack
- CDK Global says car dealership cyberattacks are being resolved
- CDK Global hit with second lawsuit in devastating car dealer cyberattacks
Assisted by GAI and LLM Technologies
Source: HaystackID
