Dealers across the U.S. resorted to pen and pencil to complete transactions in their dealerships as one of the key software programs remained down over the weekend.
CDK Global has not made any public comments since shutting down their services on Thursday, June 20, after a second cyberattack attack. Besides vehicle sales, vehicle repair and maintenance services are affected for auto dealerships. Automotive News reported on June 23 that the company notified users the restoration process from cyber ransom attack has begun and it will take “several days” to end outages—the first time it has referred to the cyberattacks as a ransom event.
CDK Global, whose software is used at 15,000 auto dealers, was first attached on June 19 around 2:00 a.m. EDT that hampered operations Wednesday at U.S and Canada dealerships. The company was able to restore some functions began to come back online by Wednesday afternoon—but its systems were attacked again before the business day started on Thursday, June 20.
How Attack Affects Dealer
While the technology company deals with the ransomware attack, that did not stop affected dealers from working with customers seeking their services. While some dealers have suspended operations, others are writing up reports by hand until the matter is resolved.
Several major auto companies—including Stellantis, Ford and BMW—confirmed last week that the CDK outage had impacted some of their dealers, but that sales operations continue.
“Although there is an industry-wide system outage for some dealers who use CDK, Ford and Lincoln customers are able to receive sales and service support due to alternative processes available to our dealers,” Ford said in a statement shared with CNN. “While a customer’s local dealer remains the best place for information about their sales and service needs, they can always contact the Ford Customer Relationship Center.”
Group 1 Response
Group 1 Automotive, with 188 dealerships located in the U.S., immediately activated its cyber incident response procedures and took measures to protect and isolate its systems from CDK’s platform, according to company officials. Despite the disruption, all Group 1 U.S. dealerships continue to conduct business using “alternative processes”.
CDK has advised that it anticipates the restoration of the dealer management system will require several days. The auto group’s ability to determine the material impact, if any, of the incident and the resulting service outage, will ultimately depend on a number of factors, including when, and to what extent, it resumes its access to CDK’s dealers’ systems.
“Our associates are coming together with an unwavering focus on delivering the best possible customer experience. Their efforts have been nothing short of exemplary,” said Daryl Kenningham, Group 1’s President and Chief Executive Officer in a press statement.
AutoNation, with over 300 dealerships in the U.S. said it is in regular communication with CDK regarding the incident and continues to take steps to minimize any potential impact on the business. The cyberattack impacted their dealership operations, including sales, service, inventory, customer relationship management, and accounting functions.
“While the outages of CDK’s systems and our DMS have been disruptive and adversely impacted our business, all of our locations remain open, and we are continuing to sell, service, and buy vehicles, and otherwise serve our customers, through manual and alternative means and processes, albeit with lower productivity,” according to a statement released by the company.
View from Dealers
Thad Szott, whose family owns dealerships in Michigan, explained to the Detroit Free Press that CDK Global is “basically our operating system inside our dealerships that does all of our accounting, supports us working with lease payments, cash prices, look up parts, write up repair orders. Basically, everything that operates inside the dealership on the computer.”
Dearborn Village Ford general sales manager Jay Sturtz said his salesman on the floor are working around the cyberattack by writing orders as they await for CDK to come back online.
Sturtz offered that its “been difficult, more so in service than in sales. They do need to have this information in CDK. We are going to handwriting repair orders. So, we’ll just have to, once the system comes back up, we’re going to have to put those into the system.
Effect on Service Departments
Jeff Ramsey, an executive with Ourisman Automotive Group headquartered in Maryland said the cost his dealerships some business. Customers who are delayed in closing a sale at one of his dealerships could just find a dealer nearby that’s not having these issues and buy a new vehicle there, instead.
Celebrity Motor Cars owner Tom Maoli, whose dealerships are based out of New Jersey detailed how the attacks the service departments.
His employees had to “everything manually,” including putting together the repair order “so they can pay it.”
“When there’s parts that need to be used to repair the vehicle, there’s an inventory system within CDK and those parts are not being deducted from our systems so when we use parts out of our inventory, alerts won’t automatically go to the manufacturers to replenish us with those parts,” Maoli detailed to Fox Business. “They’re not getting those alerts so the entire supply chain system is being shut down.”
Toll on Customers, Dealers
In San Antonio, the Ancira Auto Group officials noted that using the CDK software makes it easier for dealers to do business in a short amount of time. “So it’s beneficial to the customer as well,” said April Ancira, vice president of Ancira Auto Group, who added her employees are relying on some of their former techniques and technology to get by. “We’re actually able to get some of the information from little bits of different software. We’re doing some of that. We’re doing some handwriting.”
Ancira noted the ransomware targeted CDK does not just takes a toll on the companies and dealerships involved, but the employees and customers.
“When something like that happens, (it affects) the employees’ families and their ability to put food on the table,” she said. “Customers need their cars repaired that maybe need to go to dialysis or cancer treatment.”
Ransomware Attack
In a statement sent to the AP on Friday, Mike Stanton, president and CEO of the National Automobile Dealers Association (NADA) said that “dealers are very committed to protecting their customer information and are actively seeking information from CDK to determine the nature and scope of the cyber incident so they can respond appropriately.”
CDK Global is reportedly negotiating with an Eastern European ransomware hacker group called BlackSuit gang to secure a decryptor and ensure that no stolen data is leaked. The cyber attack forced the company to shut down services and intends to pay the ransom—reportedly costing tens of millions of dollars—to restore its cloud-based software to dealerships in the country that helps dealerships manage vehicle acquisitions, sales, financing, insuring, repairs and maintenance, according to a Bloomberg report.
BlackSuit is widely believed to be a rebranding of the Royal ransomware operation, a direct successor to the Conti cybercrime syndicate. Comprising Russian and Eastern European threat actors, this organized gang has been a persistent security concern.
The company warned it is aware of “bad actors” posing as members or affiliates of CDK to try to obtain system access by contacting customers and urged employers to be cautious of any attempted phishing.