Did you really think it was over? I think Act Two is about to happen for dealers and CDK Global.
From the very beginning when the CDK Global hack was made public, I said there was going to be more to it. That just isn’t the way these hackers operate—this is my opinion of the players involved and what dealers need to do to protect yourselves.
Chances are they were into the system well before the announcement was made, probably as early as April or early May by the East European gang called BlackSuit or BlackCat, originating out of Russia spinning off of an earlier version called RoyalLocker, according to Recorded Future, one of the foremost ransomware analysis firms. This gave the cyberterrorists plenty of time to siphon data or download information, which I warned about in a social media blog titled ‘The Bigger Issue Will Be How Much Dealer and Customer Data Leaked Onto The Dark Web?’ at the beginning.
First the Hackers, Now the Phish
Experts estimate the hackers settled for $15 to $25 million. Although credibility is important to the hackers so they have believability with their next target, the temptation of customer credit data—from credit applications that include such information as Social Security numbers—are worth literally millions to potential dark web customers.
This may prove too irresistible to hackers. If they’re holding customer data (which I believe they are) why would they settle for $25 million dollars when they can sell that data for multiples of that?
Now that the hackers have the information, we are already seeing phishing expeditions contacting dealers representing themselves to be CDK’s Rescue teams. Even in one of CDK’s updates it warned “bad actors are contacting our customers posing as members or affiliates of CDK trying to obtain system access.”
Dealer’s Complaints
Dealers have complained that CDK’s response to their crisis has been one of the most frustrating aspects. All of the company correspondence seemed to say, “no new information” and signed “CDK Customer Care” that left dealers feeling in the dark in the early days of the system being down.
That was followed by CDK’s CEO Brian MacDonald writing to its 15,000 dealerships they serve thanking them for their “resiliency and heroism” throughout the ordeal but did not provide much details.
The damage reverberated throughout the industry as many vendors tied in had to shut down or curtail operations. As it does restore services, my question is do dealers really want to be the early adopter that hooks back up immediately?
What the Customer Should Demand
If I was a dealer, I would want a deep security audit by a reliable and reputable outside company. They haven’t even disclosed how or where the hackers got into the system. Is it possible perhaps that BlackSuit hackers left a little nugget of code embedded somewhere that they can reactivate the hack anytime and attack the dealers’ data directly?
A Fox Morning News segment featured a dealer talking about sunshine and rainbows, a lot of fluffy optimism. Unfortunately, they didn’t know how to work a car deal without a computer program and their service department was in disarray and panic—they still hadn’t figured out how to process title work.
Dealers coast to coast were forced to come up with creative processes to keep selling and delivering cars. But the fact is that most salespersons, sales managers, and F&I managers weren’t even in the business before the pandemic and they don’t know how to work an old school deal with a 10-key calculator and a green Sharpie pen.
I challenged dealership employees on social media and in my private car groups to work a car deal with a payment factor, a sale price, a trade-in ACV and payoff with an interest rate and term, and I supplied the payment factor. Out of the more than 60 managers that tried, only three got the right payment.
The Pen and Paper Test
I provided a similar scenario with a retail deal: a $67,000 selling price, seven percent tax on the difference, $2,600 cash down, paid off trade-in with $21,000 ACV/allowance, five percent APR for 72 months, $750 title and fees.
I’ll give them a head start by telling them the money factor to multiply for is a five percent interest rate at 72 months is .016105.
Brett Morgan chided me that five percent is a fairy tale interest rate. GM or GSM or dealer, write those numbers on the white board and see how many of your managers can come up with the correct payment which is … $762.89.
Then let’s see if your sales and F&I managers know how to create an Old School payment factor …
- Put $20,000 into selling Price into Computer/CRM
- Put 10,000 down payment
- Put the number of months (48- 60-72-84)
- Put the interest rate you want the factor to be for
- Remove all fees and taxes and any other charges
- Be sure it’s 30 days until first payment
- Whatever payment that produces put a period and zero ( .o ) in front of it for example at 5% for 72 months, the payment came out to be $161.05 so the factor becomes out to be .016105. Then any number you multiply X.016105 the payment will be exactly matching what your computer would have been. Deadly accurate.
Providing A Helping Hand
Several CDK’s competitors actually came to the rescue and offered dealers their services for free to help out. The first I was aware of was my friend, Brad Paschal, who is the Market President at Dynatron Software who posted on social media “If you need an Excel process to write ROs just shoot me an email and I will hook you up!”
Then, another friend of mine, Nick Askew, CEO of Space Auto posted, “Actions speak louder than words…we are making our CRM and Desking tools available to dealers for free until such time your CRM is back up and dealership systems are stable again. We’ve been in automotive retail, so we know exactly how hard this is hitting dealers. It’s the least we can do. Time for everyone to get back on their feet.”
Christopher Walsh, president of Reynolds & Reynolds, a company that has taken great strides to stay ahead of the curve was early to offer help to their main competitor’s customers, including their forms.
And Jay Vijayan, CEO of Tekion, a new and innovative DMS platform, noted dealers are “showing incredible resilience in the face of the ongoing CDK outage, coming together to find alternative solutions, even if they are manual solutions to keep their businesses running and servicing their customers and communities.” Tekion provided free access to its tax, title, and license solution, Tekion Digital Processing, to all affected dealers.
Now Come the Lawyers
The lawsuits are coming, with as of July 1, five have already been filed and there’s more of them, really big ones, that I’m aware that are coming.
The issue that will be litigated is this: How much at fault is CDK? The answer is a definitely…or maybe not! Personally, I think they have to accept responsibility for many reasons.
But before the lawyers take the issue over, there are bigger issues facing the auto industry right now. CDK may be just the catalyst—or an omen—of what’s coming. I feel sorry for what this will do to the entire car business industry. Dealers suffered immense and immediate pain, especially at the end of June.
I’m wondering if customers are going to return to the showrooms in previous numbers any time in the near feature. If not, the cyberattack will cost billions as some estimates say the industry could lose 10 percent of previously projected sales.
We’re facing an affordability crisis already in an election year, and now dealers are affected by a stigma where customers may mistrust data safety, especially if it turns out customer identifiable and financial and Social Security numbers were exposed to the hackers. If there is a significant sales drop-off, I will blame CDK Global for that.
MacDonald’s Land
In 2023, CDK did two things that may or may not have impacted their ability to ward off the ransomware attack.
CDK was sold to a Brookfield Business partners for $8.7 billion dollars in July 2022. Brookfield brought in MacDonald, who promised to implement what he called a “Fit and Focus” strategy.
Under MacDonald’s new business strategy, they outsourced a number of employees and services to Genpact.com that included CDK’s enterprise information technology unit, as well as parts of its technology, product, customer, finance and procurement divisions. And they closed CDK offices in the UK and the Western USA.
It is fair then to raise these questions: Where and how did the hackers get into the system? Was it avoidable? Were CDK’s or Genpact security protocols sloppy? Or was nobody at fault?
Regardless of your opinion or mine about CDK, it’s not good for the industry and chances are this won’t be the last time an automotive industry company will get hit. And I fear the worse for the financial stability of the company.
What Dealers Can Do Now
I have been saying this to dealers repeatedly: it’s time to back up and modernize your technology and guard your data. In 2011, I was one of the very first that warned dealers about protecting your customer data from vendors that play it loose with your customer information. Some of the biggest players in the business are still selling leads to other vendors (customer information) and dealers don’t call them out.
It’s time to tighten up because the reckoning is coming. And a direct result of the CDK Global crisis is that dealers will finally start shopping for new modern technology solutions. You need to look at some of the new vendors that you’ve been putting off.
Too many of the old players in the CRM and DMS game are held together with band-aids and duct tape with inferior, outdated and obsolete technology. You’re not making the right move because you don’t want to go through the changeover. Well, get over yourself already. You’re paying for it right now.
There’s a reason lions go after the slowest and weakest antelope in the herd first. So do hackers.