If you’re looking at buying a car over the next 24 hours or so, there’s a good chance that process got much harder, depending on where you’re buying from. CDK Global, the largest provider of dealer management services in North America, has been subject to not one, but two cyberattacks in the past two days, and while the implications for immediate operations at dealerships using the firm’s services are clear, the picture of the total fallout looks murky at best.
On Wednesday morning, CDK Global shut down its services due to what it called a “cyber incident,” plunging more than 15,000 dealerships across North America back into the 1980s. See, CDK is a leading provider of dealer management software, which covers everything from parts invoicing to payroll. Soon after, the firm issued this statement:
Erring on the side of caution, we proactively shut all systems down and executed extensive testing and consulted with external third-party experts. With the work done so far, our core DMS and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications, and we will provide updates as we bring those applications back online. Our first priority is always the security of our customers, and our actions reflect our obligation to them as a trusted partner.
By Wednesday afternoon, it seemed like things were clearing up. Automotive News reported that CDK claimed its dealer management system was unaffected by the cyberattack, and service started to be restored. While not every piece of CDK software was back online, things started to look hopeful. The situation started looking less hopeful later that evening, because another cyberattack happened. Here’s the latest statement from CDK, as published by Automotive News:
We are sorry to inform you that we experienced an additional cyber incident late in the evening on June 19th. Out of continued caution and to protect our customers, we are once again proactively shutting down most of our systems.
We are currently assessing the overall impact and consulting with external third-party experts. At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available at a minimum on Thursday, June 20th.
Well, that’s not good. As of right now, continuing operations appears to be a scramble. Some dealerships are going back to paper invoices. Others are dealing with phone system issues, given how some use CDK’s customer communications systems. Dealers using Reynolds and Reynolds or Dealertrack are continuing operations as normal, as software from competing firms is unaffected, but still, while the lighting has flashed, the flood is yet to come in. See, the motive and wider effects of these cyberattacks have yet to be released, and depending on how far deep things go, it could affect more than just internal operations.
While CDK Global is most known for its dealer management system, it also offers finance and insurance software, including the ability to run credit checks on customers. If a substantial data breach has occurred, information leaks could go far beyond the personal identifying information of dealership employees. Granted, as of Thursday, it’s not known if these cyberattacks exposed customer data, but this is something to hold tight on.
Support our mission of championing car culture by becoming an Official Autopian Member.
-
There Were More Than 3,000+ Attempts To Hack Dealership’s AI Chatbot This Weekend
-
I Ordered Two Identical Trucks From Two Different Dealers. Here’s Why This Turned Out To Be A Genius Move.
-
Why The Internet Is Going Crazy Over A Photo Of A Longbed Pickup Truck At A Dealership
-
This Handy Website Can Help You Avoid Dealer Markups
-
See If You Can Guess Why C8 Corvettes Keep Falling Off Of Lifts
Got a hot tip? Send it to us here. Or check out the stories on our homepage.
Just booked a service at my local, they use MyKaarma for that type of stuff so it was all good as far as I could tell.
That’s not a DMS. That’s a piece of software that interfaces with the DMS, for stuff like sending quotes to customers.
I have a mental image of sitting across from William H. Macy wearing a hang-dog expression as I berate him for the surprise addition of an undercoat charge.
With a MASSIVE mustache.
I have a mental image of sitting across from William H. Macy wearing a hang-dog expression as I berate him for the surprise addition of an undercoat charge.
With a MASSIVE mustache.
This is why businesses and people should be removing things from the Internet, not adding more things to the Internet.
Name checks out.
This is why businesses and people should be removing things from the Internet, not adding more things to the Internet.
Name checks out.
This is making my morning a little interesting, can’t get parts from the local BMW dealer.
This is making my morning a little interesting, can’t get parts from the local BMW dealer.
Ah, maybe this explains why I couldn’t make a service appointment online yesterday.
Hmm, or not. Still doesn’t work when I load the page. Guess I’ll have to let my fingers do the walking.
Ah, maybe this explains why I couldn’t make a service appointment online yesterday.
Hmm, or not. Still doesn’t work when I load the page. Guess I’ll have to let my fingers do the walking.
Is this just mainstream dealerships or also used car (only) dealerships as well?
Is this just mainstream dealerships or also used car (only) dealerships as well?
I purchased a used VW with an extended warranty from a Subaru dealer. I had an appointment this morning for warranty service but was turned around because they could not research any parts or manuals for my car. It looked like they had to turn a few Subies around too.
I purchased a used VW with an extended warranty from a Subaru dealer. I had an appointment this morning for warranty service but was turned around because they could not research any parts or manuals for my car. It looked like they had to turn a few Subies around too.
I expect to see at least one IT guy get sacked for this, potentially more. If they have a CISO (Chief Information Security Office), that person just experienced a resume-generating event.
I can almost guarantee you their IT dept has brought up concerns about security just to be shrugged off as being too expensive to implement. Ask me how I know?
This, for sure. “Now, Mike, why would we spend that money when the likelihood is so small?”
”Because risk is not just about likelihood, it’s also about impact. Just record my concerns for the record, Bob.”
IT teams should have a former recall coordinator on staff.
Yup. You don’t make decisions solely on likelihood, but also magnitude.
I’d have the same user name if that happened to me.
The company I work for got a ransomware attack a few years back. It was amazing the protocols that got put in place after… Thankfully We had good back ups and were only down for a day.
Proactively bringing up issues and being sacked as a scapegoat for someone else’s failing to act on those issues are not mutually exclusive.
Those responsible for sacking the people who have just been sacked, have been sacked.
Maybe, maybe not.
“Internal vectors” (IE, knowledgeable employees) are by far the biggest threat for a lot of companies, to the point that many of the cybercrime gangs offer a commission from whatever ransom they get to employees willing to install software. That’ll get HR and the risk management team some grief, and raise some separation-of-duty concerns, but some people can still keep their jobs after failure like this.
Even past that, a lot of CISO positions are more vendor management than anything else, where software selection and implementation are conducted by third parties.
Ultimately, C-level hiring decisions fall on the board, and it’ll be lively if the CISO can say “I made recommendations X, Y, and Z, all of which were rejected by the CEO and CTO and would have prevented this.”
So while I’ve no doubt somebody will get fired, but part of the fun with entities like this is seeing how in-depth the board investigates.
Hadn’t heard the internal vector theory before but not at all surprised.
The guy who has been ignored for years about all the problems that he know about is likely to be disgruntled. Add some typical corporate “management” that treats them like a cog at the best of times and pretty soon Joe from IT is vacationing in Romania.
Yep. And LinkedIn and AI have made it all the more easy to discover who your potential insiders are. Find a guy who’s been working at the same place for 7+ years without a meaningful title change, somewhere in the bowels of application support or the like, and chances are he knows enough to push malware to a critical app (even these days, people like salesforce.com admins are not likely to have an IT or security-oriented background).
Cyberinsurance is getting pricier, but a lot of the policies covered 8-figure sums as well as the cost of a third party investigation (that’s useful to determine who you’re going to fire when you’re done). 15% commission on a 10MM policy if you’re an “analyst” pulling down 80k is pretty good. With the advent of bitcoin (among others), it’s even fairly easy (from a tax perspective) to make it look like the money was legitimate.
It’s one of the reasons old-school tech insiders have significant unease with the notion of interlinked autonomous vehicles. Malicious insiders right now are mostly confined to damaging stuff where the human cost is a secondary or tertiary exposure (IE, if I’m a hospital database admin and take down EPIC, the core problem is in software, there are contingencies for paper charting in place, and it’s a significant inconvenience to the patients in which some might die, but the contingency is adequate on a short-term basis). But if you, as an insider, intentionally compromise how self-driving vehicles operate? You can wreak a considerable amount of havoc directly on people. Combine that with automated OTA updates and the possibilities are kinda horrifying. Almost all autonomous systems these days require human judgment in the processing loop (piloting aircraft, medicine, train operation, drone flight, etc.), and while that comes with its own set of problems, it’s also a useful failsafe.
That’s the life in IT, you’re either invisible or in trouble.
31 years in the business, don’t I know it!
Everything works: “what the hell do we pay you guys so much for?”
Everything broken: “what the hell do we pay you guys so much for?”
I expect to see at least one IT guy get sacked for this, potentially more. If they have a CISO (Chief Information Security Office), that person just experienced a resume-generating event.
I can almost guarantee you their IT dept has brought up concerns about security just to be shrugged off as being too expensive to implement. Ask me how I know?
This, for sure. “Now, Mike, why would we spend that money when the likelihood is so small?”
”Because risk is not just about likelihood, it’s also about impact. Just record my concerns for the record, Bob.”
IT teams should have a former recall coordinator on staff.
Yup. You don’t make decisions solely on likelihood, but also magnitude.
I’d have the same user name if that happened to me.
The company I work for got a ransomware attack a few years back. It was amazing the protocols that got put in place after… Thankfully We had good back ups and were only down for a day.
Proactively bringing up issues and being sacked as a scapegoat for someone else’s failing to act on those issues are not mutually exclusive.
Those responsible for sacking the people who have just been sacked, have been sacked.
Maybe, maybe not.
“Internal vectors” (IE, knowledgeable employees) are by far the biggest threat for a lot of companies, to the point that many of the cybercrime gangs offer a commission from whatever ransom they get to employees willing to install software. That’ll get HR and the risk management team some grief, and raise some separation-of-duty concerns, but some people can still keep their jobs after failure like this.
Even past that, a lot of CISO positions are more vendor management than anything else, where software selection and implementation are conducted by third parties.
Ultimately, C-level hiring decisions fall on the board, and it’ll be lively if the CISO can say “I made recommendations X, Y, and Z, all of which were rejected by the CEO and CTO and would have prevented this.”
So while I’ve no doubt somebody will get fired, but part of the fun with entities like this is seeing how in-depth the board investigates.
Hadn’t heard the internal vector theory before but not at all surprised.
The guy who has been ignored for years about all the problems that he know about is likely to be disgruntled. Add some typical corporate “management” that treats them like a cog at the best of times and pretty soon Joe from IT is vacationing in Romania.
Yep. And LinkedIn and AI have made it all the more easy to discover who your potential insiders are. Find a guy who’s been working at the same place for 7+ years without a meaningful title change, somewhere in the bowels of application support or the like, and chances are he knows enough to push malware to a critical app (even these days, people like salesforce.com admins are not likely to have an IT or security-oriented background).
Cyberinsurance is getting pricier, but a lot of the policies covered 8-figure sums as well as the cost of a third party investigation (that’s useful to determine who you’re going to fire when you’re done). 15% commission on a 10MM policy if you’re an “analyst” pulling down 80k is pretty good. With the advent of bitcoin (among others), it’s even fairly easy (from a tax perspective) to make it look like the money was legitimate.
It’s one of the reasons old-school tech insiders have significant unease with the notion of interlinked autonomous vehicles. Malicious insiders right now are mostly confined to damaging stuff where the human cost is a secondary or tertiary exposure (IE, if I’m a hospital database admin and take down EPIC, the core problem is in software, there are contingencies for paper charting in place, and it’s a significant inconvenience to the patients in which some might die, but the contingency is adequate on a short-term basis). But if you, as an insider, intentionally compromise how self-driving vehicles operate? You can wreak a considerable amount of havoc directly on people. Combine that with automated OTA updates and the possibilities are kinda horrifying. Almost all autonomous systems these days require human judgment in the processing loop (piloting aircraft, medicine, train operation, drone flight, etc.), and while that comes with its own set of problems, it’s also a useful failsafe.
That’s the life in IT, you’re either invisible or in trouble.
31 years in the business, don’t I know it!
Everything works: “what the hell do we pay you guys so much for?”
Everything broken: “what the hell do we pay you guys so much for?”
Maybe, just hear me out here, MAYBE we shouldn’t allow whole industries to be managed by 1-3 companies like this? Especially, when vehicles are almost a utility at this point?
Poppycock! What could possibly go wrong?
You sound a bit anxious about this, John.
That’s my secret Cap, I’m always Anxious.
We probably didn’t originally, but as larger companies swallow up smaller companies this is eventually what happens, then there becomes a lack of choice where to get services from.
Yes, this is what tends to happen, IF they are not appropriately regulated to maintain a competitive market
Fewer companies means less economic pressure to do things like offer a competitive product, or pay employees a competitive wage. That’s a win-win for the ownership class. Think of all the wins that are going to trickle down to us someday!
Counterpoint: cybersecurity is super hard and only a decent size org has a chance.
That assumes that any org tries, or that anyone anywhere really has a chance.
Maybe, just hear me out here, MAYBE we shouldn’t allow whole industries to be managed by 1-3 companies like this? Especially, when vehicles are almost a utility at this point?
Poppycock! What could possibly go wrong?
You sound a bit anxious about this, John.
That’s my secret Cap, I’m always Anxious.
We probably didn’t originally, but as larger companies swallow up smaller companies this is eventually what happens, then there becomes a lack of choice where to get services from.
Yes, this is what tends to happen, IF they are not appropriately regulated to maintain a competitive market
Fewer companies means less economic pressure to do things like offer a competitive product, or pay employees a competitive wage. That’s a win-win for the ownership class. Think of all the wins that are going to trickle down to us someday!
Counterpoint: cybersecurity is super hard and only a decent size org has a chance.
That assumes that any org tries, or that anyone anywhere really has a chance.
I feel for them, it sucks being on the defensive side of network security.
I feel for them, it sucks being on the defensive side of network security.
Yeah that’s gonna be bad if they get access to the customer data. Just think about all the information you have to give up to buy a car.
Looking forward to my $3.75 settlement check in 10 years
Sadly $.37 is more realistic.
You never know. They might round up to $0.38.
But hey, the lawyers will get millions and millions LOL
Best I can do is tree fitty.
Yeah that’s gonna be bad if they get access to the customer data. Just think about all the information you have to give up to buy a car.
Looking forward to my $3.75 settlement check in 10 years
Sadly $.37 is more realistic.
You never know. They might round up to $0.38.
But hey, the lawyers will get millions and millions LOL
Best I can do is tree fitty.
China: If they can’t sell cars here, then no one can. Kidding of course (just in case you’re snooping Mr. Xi), but maybe not.
China: If they can’t sell cars here, then no one can. Kidding of course (just in case you’re snooping Mr. Xi), but maybe not.
Well this sucks. Hopefully no breach! I JUST bought my Caddy ATS in the last few weeks!
The hackers just released a statement, they’re specifically looking for Chris Moore’s information on a recent purchase..
To discuss the ATS’s extend warranty.
Same concern here, we just bought a 2023 Civic Si about a month ago. I’m sure they didn’t secure the data since the dealership can’t even handle a sales transaction correctly.
Well this sucks. Hopefully no breach! I JUST bought my Caddy ATS in the last few weeks!
The hackers just released a statement, they’re specifically looking for Chris Moore’s information on a recent purchase..
To discuss the ATS’s extend warranty.
Same concern here, we just bought a 2023 Civic Si about a month ago. I’m sure they didn’t secure the data since the dealership can’t even handle a sales transaction correctly.