Browse Definitions :

Getty Images/iStockphoto

The CDK Global outage: Explaining how it happened

CDK Global was hit with a ransomware attack affecting thousands of U.S. auto dealerships. Keep reading to learn more about this attack and how it affected the industry.

Ransomware attacks are not a new phenomenon and are continuing to have a widespread impact across multiple industry sectors. A ransomware attack can target a specific individual victim, though threat actors are increasingly using techniques where a single vendor is attacked but thousands of its users are impacted.

That's the case with the CDK Global cyberattack, which was first reported on June 18, 2024. In this incident, CDK Global was infected with ransomware taking many of its core systems offline. As CDK Global is a trusted provider of software services to many organizations in the automotive industry, the ransomware impact was widespread.

What is CDK Global?

CDK Global is a software vendor headquartered in the U.S. that provides applications and services for the automotive industry. It serves nearly 15,000 dealer locations across North America.

CDK Global primarily focuses on delivering processing capabilities to automotive dealerships across the U.S. It provides essential software that helps dealerships manage daily operations, including vehicle sales, financing, insurance and repairs.

The company was officially created in October 2014 although its roots go back decades earlier. Before 2014, the core operations of CDK Global were part of ADP Dealer Services which started in 1973. The original set of capabilities for CDK Global comes from a series of predecessor companies that also include Cobalt Digital Marketing and Kerridge Computer Company, both of which were acquired by ADP Dealer Services. The name CDK is derived from different acquisitions: C from Cobalt Digital Marketing, D from the original ADP Dealer Services business, and K from Kerridge Computer Company.

In 2022, CDK Global was acquired by Brookfield Business Partners in a deal valued at $8.3 billion.

How did the CDK attack happen?

Full details on exactly how the CDK Global attack happened have not yet been publicly disclosed. However, it has been confirmed that the company was the victim of a ransomware attack.

Ransomware can be deployed into a victim's environment in any number of different ways.

One of the most common is some form of phishing attack where administrative credentials are obtained. Social engineering is also an extremely common ransomware attack method, which can also be part of the phishing attack.

Another potential cause could be a vulnerability in the software stack used by CDK Global.

Who was affected?

The CDK Global cyberattack impacted a wide range of entities in the automotive retail industry.

Among them are the following groups:

Car dealerships

  • Approximately 15,000 auto dealer locations across North America were affected, including both the U.S. and Canada.
  • Large car-dealership companies reported disruptions to the U.S. Securities and Exchange Commission (SEC), including Lithia Motors, Group 1 Automotive, Penske Automotive Group and Sonic Automotive.

Automakers

  • Various automakers acknowledged the impact on their dealers' operations, including BMW, Nissan and Honda.

Customers

  • Car buyers faced delays and potential issues with transactions due to dealerships having to resort to manual processes.
  • Car buyers who were in some cases unable to complete purchases or have their vehicles serviced normally during the outage.
  • Some dealers and customers have also reported attempted phishing scams from hackers aiming to capitalize on the ransomware outage.

CDK Global

  • The company had to shut down most of its systems and initiate a lengthy restoration process.

Timeline of attack

The timeline of the attack is as follows:

June 18, 2024

  • CDK Global was hit by the first ransomware, which led to the encryption of critical files and systems.
  • The attack has been attributed to the BlackSuit ransomware gang that is based in Eastern Europe and Russia.
  • BlackSuit has demanded a ransom from CDK Global. According to Bloomberg, the initial ransom demand was $10 million, but has increased to more than $50 million.

June 19, 2024

  • As a result of the ransomware attack, CDK Global shut down its IT systems.
  • During efforts to recover from the initial attack, a second cyberattack hit the company.

June 22, 2024

  • CDK Global announced it initiated the restoration process.
  • Bloomberg reported that the company intends to pay tens of millions of dollars in ransom.

July 4, 2024

  • After a phased restoration process, all car dealerships should be up and running with CDK services.

Who was responsible for the attack?

The CDK Global cyberattack has been attributed to the BlackSuit ransomware gang.

BlackSuit is a relatively new ransomware group that first emerged in April 2023. The group has links to the older more established Royal ransomware gang. There is some evidence that BlackSuit is also related to the Conti ransomware group. BlackSuit is thought to be made up of Russian and Eastern European hackers.

BlackSuit runs as a private ransomware group and is not some form of ransomware-as-a-service (RaaS) operation where there are affiliates. The group is known to favor using double extortion ransomware, which combines ransomware with extortionware.

The ransomware gang has targeted various sectors, including healthcare, education, information technology, government, retail, and manufacturing in the past. Among the group's publicly disclosed victims is the Kansas City, Kan. police department. The gang claims it published hundreds of sensitive police files on June 18, 2024, after the police department did not pay the ransom.

What is the impact of this attack?

The impact of the CDK Global ransomware attack is extensive as it caused widespread disruption across the automotive sector in North America.

  • CDK Global system shutdown. CDK Global shut down most of its programs, including IT systems, phones and applications.
  • Widespread dealership disruption. Approximately 15,000 auto dealer locations across North America were affected. The operational impacts on dealerships included an inability to access dealer management systems, disruptions in tracking and ordering car parts as well as difficulties in conducting new sales and offering financing. Additionally, there were challenges in scheduling service appointments and managing inventory. Some dealerships resorted to manual processes, using paper while other dealerships sent employees home.
  • Financial impact. The attack led to disruptions in payroll processing for dealership employees as well as additional costs for implementing temporary manual processes. It is also possible that some dealerships lost sales as they were unable to complete transactions.
  • Customer experience impact. Automotive customers were impacted with delays when trying to purchase vehicles, as well as with scheduling and managing service appointments.
  • Data security concerns. In addition to the operational challenges, the fact that the ransomware group has access to sensitive customer and business data is a major concern.
  • Industry-wide impact. There were also industry-wide impacts with automakers unable to track sales and inventory through their dealer networks.

Are car dealerships seeing an increase in cyberattacks?

Somewhat ironically, CDK Global produces an annual report on the state of cybersecurity in the automotive dealership market.

The "2023 State of Cybersecurity in the Dealership" study was released in October 2023. The report found that 17% of surveyed automotive retailers fell victim to a cyberattack or incident in the past year, up from 15% the previous year. The same report also found that 53% of dealers were confident that they had the right level of cybersecurity protection in place. CDK's report identified phishing scams as the top threat for dealers.

As a result of the CDK Global ransomware attack, car dealerships overall reported an increase in attacks. Most notably multiple dealerships reported phishing attacks, that attempt to gain usernames and password information. In the wake of the CDK Global attack, there were also reports of scammers posing as CDK representatives trying to help with the outage.

What can organizations learn from this attack?

There are a variety of things that organizations can learn from the CDK Global attack.

  • Develop contingency plans. The fact that dealers were struggling for days with little to no active guidance on what to do was a real issue. It is incumbent upon organizations to have robust business continuity plans in place to maintain operations during system outages. There should also be an operational playbook that includes manual processes as backups for when digital systems are unavailable.
  • Plan for incident response. The inability to respond quickly and effectively to the ransomware attack helped to amplify the impact. Organizations must develop and regularly update an incident response plan. Organizations should have regular "fire drills" and tabletop exercises to prepare staff and management for potential cyber incidents.
  • Prioritize data protection. Attackers are always looking for personally identifiable information and payment information. Organizations need to implement strong data protection and regularly assess and update data security protocols.
  • Double down on ransomware protection. Organizations need to emphasize and reexamine ransomware protection strategies. There are multiple steps that organizations can and should consider to prevent ransomware exploitation.
  • Improve communication strategies. CDK Global did not at the outset of the attack have a singular location where it kept its users updated on the status of the attack and recovery effort. It is a good best practice to maintain clear and consistent communication with staff and customers during a crisis. It is also critical to unify messaging about what is going on after a cybersecurity incident to reassure customers about data security and service continuity.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.

Dig Deeper on Threat management

Networking
  • subnet (subnetwork)

    A subnet, or subnetwork, is a segmented piece of a larger network. More specifically, subnets are a logical partition of an IP ...

  • Transmission Control Protocol (TCP)

    Transmission Control Protocol (TCP) is a standard protocol on the internet that ensures the reliable transmission of data between...

  • secure access service edge (SASE)

    Secure access service edge (SASE), pronounced sassy, is a cloud architecture model that bundles together network and cloud-native...

Security
  • cyber attack

    A cyber attack is any malicious attempt to gain unauthorized access to a computer, computing system or computer network with the ...

  • digital signature

    A digital signature is a mathematical technique used to validate the authenticity and integrity of a digital document, message or...

  • What is security information and event management (SIEM)?

    Security information and event management (SIEM) is an approach to security management that combines security information ...

CIO
  • product development (new product development)

    Product development -- also called new product management -- is a series of steps that includes the conceptualization, design, ...

  • innovation culture

    Innovation culture is the work environment that leaders cultivate to nurture unorthodox thinking and its application.

  • technology addiction

    Technology addiction is an impulse control disorder that involves the obsessive use of mobile devices, the internet or video ...

HRSoftware
  • organizational network analysis (ONA)

    Organizational network analysis (ONA) is a quantitative method for modeling and analyzing how communications, information, ...

  • HireVue

    HireVue is an enterprise video interviewing technology provider of a platform that lets recruiters and hiring managers screen ...

  • Human Resource Certification Institute (HRCI)

    Human Resource Certification Institute (HRCI) is a U.S.-based credentialing organization offering certifications to HR ...

Customer Experience
  • contact center agent (call center agent)

    A contact center agent is a person who handles incoming or outgoing customer communications for an organization.

  • contact center management

    Contact center management is the process of overseeing contact center operations with the goal of providing an outstanding ...

  • digital marketing

    Digital marketing is the promotion and marketing of goods and services to consumers through digital channels and electronic ...

Close