A year after an unprecedented cyberattack on CDK Global’s dealership management system shook the retail automotive sector, dealerships across the United States are still grappling with significant threats every day.
The newly released “State of Cybersecurity 2025” report by Proton Dealership IT and Cybersecurity, paints a sobering picture. Waves of cyberattacks have persisted well above historic baselines, exposing industry-wide vulnerabilities that demand urgent attention and action. The report charts the evolution of dealership cyber threats from July 2024 to June 2025, providing a data-driven assessment as well as practical recommendations for fortifying dealership defenses.
The CDK Cyberattack and its Aftermath
In June 2024, the retail auto sector faced an event of unprecedented scale. Thousands of dealerships found their core business functions abruptly paralyzed, unable to process transactions or access vital systems for days. This single event not only debilitated daily operations but sent a clear signal to cybercriminals worldwide about weaknesses in automotive cybersecurity. Malicious actors recognized the industry’s lagging preparedness and were quick to take advantage.
The months following the June incident witnessed an explosive surge in cyber activity targeting dealerships. According to Proton’s analysis, the immediate aftermath saw attack levels spike to an astonishing 242.5 percent above the pre-June baseline. The sheer volume and frequency of attempted breaches forced many dealers to reassess their risk profiles and attempt to protect vulnerable networks.
Curiously, this spike was followed by a sharp drop into late summer: by September, malicious activity receded to just 8.35 percent above the previous norm. However, as cybersecurity teams tightened defenses, some dealerships remained exposed, lulled by the brief return to normalcy. This period of relative calm, the report warns, may have actually reinforced a false sense of security among some in the industry.
Holiday Season Escalation
However, any hope that this increase in cyber threats was a blip on the radar was gone during the 2024 year-end holiday season. Beginning in November and continuing through the New Year, cyberattacks resurged. Proton’s data shows attacks over the Thanksgiving through New Year’s holidays rocketed to nearly 110 percent higher than the same period the previous year.
This timing was no accident. Cybercriminals are notorious for orchestrating attacks during holidays and off-peak hours, when IT staff may be thin and businesses are otherwise distracted. The automotive sector, operating on tight margins and with a strong reliance on digital systems for everything from payroll to inventory management, proved a ripe target. Attackers employed tactics such as ransomware, phishing, and social engineering, aiming to maximize the impact when dealership teams were least prepared to respond quickly.
Dealerships that had embraced proactive cybersecurity strategies were better positioned to detect and respond to these holiday attacks. Others, still catching up from the summer’s attack, were forced into rapid, costly response efforts—sometimes shutting down operations to limit potential damage.
March 2025: The Fake CAPTCHA Malware Campaign
The new year brought no respite. In fact, attack trends threatened to surpass even the post-June 2024 surge. The most dramatic spike came in March 2025, when the threat level soared to 221.6 percent above baseline, nearly matching that previous summer spike.
At the heart of this escalation was a supply chain attack known as the “Fake CAPTCHA Malware Campaign.” Attackers compromised images and videos hosted by dealership website providers, injecting them with malicious code. When users accessed these seemingly innocuous assets, most often while browsing vehicle photos, they inadvertently triggered the download and execution of sophisticated malware on their computers.
The malware’s capabilities were wide-ranging and dangerous: it could scrape browser histories, steal login credentials, and provide remote control over the infected devices. Armed with this level of access, attackers were able to infiltrate sensitive dealership systems, including payroll accounts, online banking, and even Original Equipment Manufacturer (OEM) portals.
Proton Dealership IT and Cybersecurity played a key role in blunting the impact of this attack. As one of the first cybersecurity partners to detect malicious content in the compromised image files, Proton rapidly mobilized defenses. Their team immediately worked to block further attacks and advised affected website providers to remove the infected content, effectively mitigating the fallout before the campaign could escalate into a wider ransomware event.
Current Threat Levels: Persistent and Evolving
While the intensity of cyberattacks has gradually decreased since the March 2025 peak, the threat remains at an alarmingly elevated place. As of June 2025, attack activity is still roughly 150 percent higher than the pre-June 2024 baseline, demonstrating that the industry is now operating in a climate of chronically heightened risk. Proton’s report notes that activity has never returned to “normal” levels. Instead, would-be attackers continue to probe for vulnerabilities, adapting their techniques and launching creatively engineered assaults—from cleverly disguised phishing scams to increasingly targeted ransomware campaigns.
The report attributes this persistent threat to several factors. First, the visibility and public impact of the June 2024 incident emboldened cybercriminals, who quickly coordinated efforts to exploit perceived weaknesses. Second, as dealerships rapidly increased reliance on digital platforms, cloud-based operations, and remote access tools, their attack surfaces expanded—and not all had properly secured these additional avenues. Lastly, attackers are evolving, constantly seeking new ways past traditional security tools through social engineering and supply chain compromises.
Proton’s Recommendations for Dealerships
Faced with the ongoing challenge of balancing daily operational demands against the strategic need to stay ahead of increasingly intelligent and determined cyber adversaries, Proton advises dealerships to take a comprehensive, multi-layered approach to security. The following best practices are highlighted in the report—each critical to minimizing the likelihood and mitigating the potential impact of future incidents:
- Employee Training: The majority of successful breaches still begin with human error. Dealerships must continuously train every employee to recognize social engineering ploys and phishing attempts, empowering staff to serve as the first line of defense.
- Robust Authentication and Filtering: High-quality email filtering should be combined with mandatory Multi-Factor Authentication (MFA) across all cloud and remote-access systems. These steps significantly reduce the risk of credential compromise and unauthorized access.
- Managed Detection and Response (MDR): Powerful MDR solutions are now essential for dealerships. These tools provide continuous monitoring, real-time threat detection, and automated response, markedly improving the ability to spot and contain threats before they escalate.
- Professional 24/7 Monitoring: Relying on in-house IT alone is no longer sufficient. Proton recommends that dealerships partner with professionals who can monitor, maintain, and update cybersecurity platforms around the clock, ensuring rapid response whenever new threats emerge.
- Incident Response and Recovery Planning: Even the best defenses cannot guarantee immunity. Dealerships must have clear, practiced incident response and recovery plans—designed to minimize downtime and financial impact should attackers breach their defenses.
A year after the landmark CDK cyberattack, the U.S. automotive retail industry is still waging a constant battle to defend against sophisticated digital threats. With attack rates still drastically higher than historical norms, the difference between a devastating ransomware incident and a minor technical hiccup often comes down to preparation and vigilance.
Related Stories: