Car Dealerships Nationwide Hit by Massive Cyberattack—Hackers Demand Multimillion-Dollar Ransom

As if there wasn’t enough stress surrounding the dealership experience in America already, it now appears that a large provider of cloud-based data storage and software for the car dealership industry has been hacked. CDK Global informed its customers and the media that a cyberattack has affected its services that potentially could leave you waiting longer for your vehicle to be serviced. That might not be the limit of the total impact, though. On June 24, Bloomberg revealed that CDK Global is potentially paying a ransom to a hacker group identified by Bleeping Computer. Penske Auto Group reveals its Premier Truck Group is affected. More information follows the original text of this story.

According to a report from USA Today, CDK Global experienced a cyberattack on Wednesday June 19, and, at the time of publication, was still affecting its software and data services the following day, June 20. This attack comes just after a large auto retailer in the southwest, Findlay Auto Group, also faced a cybersecurity attack on its data services, according to a report from the Las Vegas Review-Journal.

How Does a Hack On One Group Affect So Many

See All 13 Photos13

CDK Global provides software and cloud-based data storage for automotive dealerships and OEMs, according to its website. According to its website, CDK Global provides these services to “nearly 15,000 dealer locations” and include things like digital retail experience, financial software, marketing, and other customer data. It also provides (ironically, in this case) IT and other cybersecurity solutions for dealers, as bad actors are looking at the automotive sector as an easy way to steal customer financial and identity data from dealerships, which traditionally are not particularly data-hardened despite trading in myriad customer data. So far, there is no clear estimate for how many dealerships were impacted, but it's easy to infer this is widespread given CDK's client footprint.

What Did These Hackers Do, Or Steal?

See All 13 Photos13

When asked for comment, Lisa Finney, CDK Global’s senior manager of external communications, stated, “Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.”

When pressed for further comment, Finney told MotorTrend that CDK Global is “not addressing specific questions at this time.” Finney did state that its core Dealer Management System (DMS) and Digital Retailing solutions have been restored and that CDK's priority is the security of its customers, “and our actions reflect our obligation to them as a trusted partner.” We also reached out to large dealer networks such as AutoNation, Penske Auto Group, and Findlay Auto Group to see if this attack affected their dealerships in any way, but none had responded in time for publication.

Ransom and Hacker Group Revealed

According to Bloomberg, the cybersecurity attack is part of a ransomware attack on CDK Global. White it did not list the exact amount that CDK says it will pay, Bloomberg says it’s in the “tens of millions of dollars.” CDK has also told Bloomberg that bad actors are “contacting our customers, posing as members or affiliates of CDK, trying to obtain system access.” Bloomberg also reported that Sonic Autmotive Inc., a nationwide dealer group based in Charlotte, has had its operations disrupted. Sonic’s dealerships have reopened with a workaround.

In an SEC filing, Penske Auto Group confirmed that its automotive side wasn’t impacted by the issues with CDK, but its Premier Truck Group—Penske’s medium and heavy duty truck group—has been affected. Much like Sonic Automotive Inc., Penske Premier Truck Group are operating with a workaround and “immediately took precautionary containment steps” to protect itself and its customers when it learned what the issues were with CDK Global.

In a separate story, Bleeping Computer states that the hacker group called “BlackSuit” is behind the CDK ransomware attack. The story also details that CDK is negotiating with the group to receive a decryptor and “not leak stolen data.” BlackSuit isn’t new to this type of attack, as according to the Cybersecurity and Infrastructure Security Agency (CISA), it was originally known as “Royal Ransomware” and behind the City of Dallas cyberattack last year. Since September 2022, the Russian and Eastern European group is linked to $275 million in ransom demands.

It's More Than Just New Car Dealers Affected

Now that reports are coming that this ransomware attack will extend CDK’s outage to June 30, it is becoming clear that more than just new vehicle dealerships that will be affected. Independent shops and collision service centers have contacted us saying that due to CDK Global shutting down local dealership systems, they are unable to get OEM repair parts for vehicles in their shops. Other software-as-a-service providers are reportedly going so far as to block automated ordering to any dealership that is known to use CDK. We’ve reached out to Genuine Parts Company, parent company of NAPA that also offers NAPA Repair Link to independent shops; Snap-On, who provides DealerFX and other repair and service software solutions; and CCC, a company specializing in software for the collision repair industry, for comments on how CDK has affected them and will update with their responses.

Workarounds Add More Headaches and Potential Security Issues

Then there are the workarounds that dealers are employing. Rather than just sit there, dealers are returning to pen-and-paper solutions, according to Automotive News. Unfortunately, those solutions are insecure and open dealers to old-school identity theft tactics, and will impact commission payments to dealership sales staff. Adding to the headache, according to CNN, many customers are going to their local DMV only to be told to make an appointment that would delay registration of their new vehicle by three to four days or more.

Then there is the effect this shutdown of 15,000 dealerships will have on the U.S. GDP. According to a report on CNN, car dealerships account for 17 percent, or $122 billion, of all retail sales in May. With 10 days without dealership access, the loss could be between $4 billion and $16 billion in sales and depress total retail sales in the U.S. by 2.3 percent. It would also shave a full percentage point off the annual GDP growth rate for Q2 of 2024.

What Can You Do As An Individual Customer?

See All 13 Photos13

Unfortunately, we just don’t know what exact data was compromised by this attack, as CDK pushed its equivalent to a “Stop” button and shut down “most” of its systems. For now, if you've been a recent customer of a dealership, whether for service or purchasing or test driving a vehicle, it's probably wise to keep an eye on your digital financial records (check out some credit monitoring providers and, if you're really concerned, put a freeze on your credit, which won't allow new accounts to be opened using your information) out of abundance of caution until CDK says exactly what systems were attacked and what—if any—data was stolen (which could even include personal details, payment info, or even credit reports) during this event. We will update this story when any of the groups we contacted reach back out to us with any more information. In the meantime, several dealerships have reportedly halted operations while the problems are sorted out, so if you were planning on buying or servicing a car anytime soon, maybe call your local dealer before heading out to see if it's operational.