Last week, CDK Global, a prominent software as a service (SaaS) provider for the automotive industry, fell victim to a ransomware attack that has significantly disrupted operations for numerous car dealerships across North America. This attack has impacted some of the largest automotive retailers, including Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske, and Sonic Automotive. These disruptions have been formally reported in filings with the U.S. Securities and Exchange Commission (SEC), highlighting the widespread effect of the cyber incident.
Widespread Disruptions Across the Automotive Industry
The ransomware attack has paralyzed operations at thousands of car dealerships, causing significant setbacks in various business functions. As a key provider of SaaS platforms, CDK Global supports over 15,000 car dealerships in North America, assisting with customer relationship management, sales, financing, service, inventory management, and back-office operations. The attack has underscored the automotive industry’s heavy reliance on a few digital service providers, emphasizing the critical role that CDK Global plays in the sector.
Immediate Response of CDK and System Shutdown
In response to the cyberattack, CDK Global took the precautionary step of shutting down its systems to mitigate further damage. A spokesperson for CDK Global stated, “With the work done so far, our core DMS and Digital Retailing solutions have been restored. We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing.”
This preemptive shutdown has significantly hindered dealerships’ abilities to manage essential operations, including customer interactions, vehicle sales, repairs, and registrations. The disruption has forced many dealerships to revert to manual methods, which has slowed down their operations considerably.
Impact on Major Automotive Retailers
Several major automotive retailers have activated their incident response plans and disconnected from CDK systems as a precautionary measure. While no evidence of compromise within their own networks has been found, companies like Asbury Automotive Group, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive are experiencing significant operational challenges.
Sonic Automotive reported that the extent of customer data access by the attackers remains unknown, raising concerns about potential data breaches. Lithia Motors highlighted the ongoing negative impact on its operations, expressing uncertainty about the financial implications. Group 1 Automotive noted that the duration of the system downtime would determine the financial impact, with CDK Global aiming to restore the dealer management system within “several days and not weeks.”
Adapting to Manual Methods
In the wake of the cyberattack, many dealerships have implemented business continuity plans to maintain operations. Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which deals in heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has resorted to manual and alternate processes designed for such incidents, allowing it to continue operations despite the digital disruption. Penske also noted that the truck dealership business, which serves business customers, has lower unit volumes compared to automotive dealerships, mitigating the impact to some extent.
Asbury Automotive Group stated that while business operations are functioning, they are slower than usual. The company’s Koons Automotive locations in Maryland and Virginia, which do not use CDK’s Dealer Management System or Customer Relationship Management system, have experienced minimal disruption. Similarly, Asbury’s Clicklane online vehicle purchasing platform continues to operate smoothly. Asbury operates 157 new vehicle dealerships, encompassing 206 franchises representing 31 domestic and foreign vehicle brands.
Negotiations of with the Ransomware Group
Reports emerged late last week indicating that CDK Global is negotiating with the ransomware group responsible for the attack. Initially identified as BlackSuit, a rebrand of the Royal ransomware group known for a previous attack on the city government of Dallas, the group has not disclosed the ransom amount. Bloomberg reported that CDK Global plans to pay the ransom, although details remain unclear.
In an effort to safeguard against further unauthorized access, CDK Global has issued prerecorded messages warning customers about hackers posing as CDK staff. Despite progress in recovering from the initial attack, CDK Global faced a second cyber incident that led to another complete shutdown of its systems. The company is collaborating with third-party experts to assess the full impact and is providing regular updates to its customers.
Revealing Vulnerabilities in the Automotive Industry
This cyberattack on CDK Global has exposed critical vulnerabilities in the supply chain of the automotive industry. The heavy reliance on centralized digital platforms for managing dealership operations has been highlighted as a significant risk. The incident underscores the need for stronger cybersecurity measures and contingency plans to safeguard against such disruptions in the future.
As the situation evolves, automotive dealerships and CDK Global continue to navigate the challenges posed by the cyberattack, working diligently to restore normal operations and minimize the long-term impact on their businesses.
Discover more from Open Security Labs
Subscribe to get the latest posts sent to your email.
