Nearly three weeks after it was first attacked and just days before a crucial holiday weekend, CDK Global reported they had restored operations that was the subject of a ransomware attack.
‘We are ahead of the anticipated schedule, and as of this morning, substantially all dealer connections are live on the Dealer Management System,” the company said in a statement released July 2.
The move comes after the company had brought a “small initial test group” of auto dealerships back online starting late last week, after a cyber criminals affected the operations of thousands of dealers across the U.S. at the end of June.
CDK Outage
The company has previously stated it doesn’t believe its systems will be back online before June 30 and then pushed that to July 4, forcing auto dealerships to create workarounds in their sales and service departments.
CDK Global, whose software is used at 15,000 auto dealers, was first attached on June 19 around 2:00 a.m. EDT, in an event that hampered operations at U.S and Canada dealerships. The company was able to restore some functions began to come back online by that afternoon—but its systems were attacked again before the business day started on Thursday, June 20 and have been down since.
Several major auto companies—including Stellantis, Ford and BMW—confirmed the CDK outage had impacted some of their dealers, but that sales operations continue as dealers resorted to pen and paper to work deals.
Group 1 Automotive officials said it dealerships continue to conduct business using “alternative processes,” while AutoNation, with over 300 dealerships in the U.S., reported the cyberattack impacted their dealership operations, including sales, service, inventory, customer relationship management, and accounting functions.
July Bounce Back
The cyberattack that affected U.S. dealerships is expected to have a “significant” impact on sales for the month of June, according to J.D. Power officials.
“Because of the disruption to dealer software systems, June sales will not be reflective of actual consumer demand for new vehicles,” stated Thomas King, president of the data and analytics division at J.D. Power. “Instead, a significant number of sales that would have occurred in June are now likely to occur in July.”
According to a joint forecast from J.D. Power and GlobalData, total new-vehicle sales for June 2024, including retail and non-retail transactions, are projected to reach between 1,336,800 and 1,273,600 units, a 2.6 percent to 7.2 percent decrease from June 2023.
“Sales will be delayed, but the majority will likely occur in July shortly after the situation is rectified,” said King. “Looking forward to July, we expect…most of the lost June sales recovered within the month. Also, a robust start to July is expected due to the extended July 4th holiday weekend.”
Lawsuits Filed
In the meantime, at least eight lawsuits in federal court have been filed against CDK. Several lawsuits are seeking class-action status and accuse the company of neglecting to properly protect their personal information from cyberattacks, which have become increasingly common. They’re requesting damages, an increase its efforts to protect personal information, and to purge all personally identifiable information (PII) related to the plaintiffs.
A group of smaller dealers who use CDK’s systems filed a joint lawsuit June 30 in the southern district of Florida, claiming the software company of negligence, breaching its fiduciary duty, and unjust enrichment. In addition to the impact on dealers, the lawsuit notes that commission-based salespeople suffered financial damages and emotional distress.
The plaintiffs are Florida-based Formula Sports Cars and Prestige Motor Car Imports, as well as Georgia-based Bill Holt Chevrolet of Canton and Bill Holt Chevrolet of Blue Ridge as well as two Floridian residents who purchased cars through dealers using CDK’s systems.
Ramsonware Attack
To restore services, CDK reportedly negotiated with an Eastern European ransomware hacker group called BlackSuit gang to secure a decryptor and ensure that no stolen data is leaked. The cyber attack forced the company to shut down services and pay the ransom—reportedly costing tens of millions of dollars—to restore its cloud-based software to dealerships in the country that helps dealerships manage vehicle acquisitions, sales, financing, insuring, repairs and maintenance, according to a Bloomberg report.
BlackSuit is widely believed to be a rebranding of the Royal ransomware operation, a direct successor to the Conti cybercrime syndicate. Comprising Russian and Eastern European threat actors, this organized gang has been a persistent security concern.
Additionally, the company warned it is aware of “bad actors” posing as members or affiliates of CDK to try to obtain system access by contacting customers and urged employers to be cautious of any attempted phishing.