A Quick Backstory on CDK Cyberattack

CDK Global LLC, a large provider of cloud-based data storage and software for the car dealership industry in North America and Europe, has been dealing with the aftermath of a ransomware attack that has disrupted its services and systems for almost 3 weeks now. 

The car dealership cyberattack, which occurred on June 18, 2024, caused widespread operational disruptions for 15,000 car dealership customers across the U.S. and Canada. As of late June 2024, at the time of writing this publication, the company was still working to restore its systems. 

CDK is a trusted third-party service provider that focuses primarily on delivering processing capabilities to automotive dealerships across the U.S. The company provides essential software that helps car dealers manage daily operations, including vehicle sales, financing, insurance, and repairs. This attack has caused major disruptions to the operations of almost all car dealers relying on the company’s services for business. 

What Does CDK Do for Car Dealerships?

CDK Global provides integrated data and technology solutions to automotive dealerships across Canada and the United States. Their software helps manage everything from car sales, oil changes, and repairs to service advisors writing repair orders and mechanics recording their time and repair notes. 

Employees at these dealerships can also clock in and out using CDK’s software.

Cause of the Cyberattack on CDK Global 

It has been confirmed that the cyber event that caused the shutdown in operations on June 18th was due to ransomware from a group called BlackSuit.  Unfortunately for CDK, after it restored its systems following the initial breach, it was hacked again a second time. 

As of now, the full details of the attack’s cause remain unknown. CDK has not publicly disclosed which systems were targeted, what vulnerabilities were exploited by the attackers, or the nature of customer data that may have been stolen.

A class action suit against CDK, filed by some of the customers affected by the attack, alleges that CDK had no effective means to prevent, detect, stop, or mitigate breaches of its systems, thereby allowing cybercriminals unrestricted access to the personal data of its current and former clients.

The Impacts of the CDK Cyberattack

The ripple effect of this fallout at CDK was felt almost immediately in every aspect of the automotive industry operating across North America. Dealerships across North America and Europe reported disruptions in their daily operations because CDK had to shut down most of its system “out of an abundance of caution and concern for customers.” 

Essential services such as transaction processing, vehicle inventory management, and customer communications could have been improved. This shutdown led to delays in sales, servicing, and customer support. 

Following the breach, several auto dealerships experienced phishing attempts aimed at stealing usernames and passwords. There were reported instances of scammers impersonating CDK representatives and offering assistance with the outage.

Within the first two weeks of the attack and shutdown, the Anderson Economic Group estimated up to $ 605 million in dealers’ financial losses.  It has also been estimated that if the disruption continues, an additional $339 million in losses could potentially be recorded. 

Response and CDK’s Cyberattack Recovery Update

Lisa Finney, CDK spokesperson, stated that a phase restoration is currently underway and that all systems and services will be fully back online by July 4th, 2024. 

She mentioned in a statement “We are continuing our phased approach to the restoration process and are rapidly bringing dealers live on the Dealer Management System (DMS). We anticipate all dealers’ connections will be live by late Wednesday, July 3, or early morning Thursday, July 4. Our Customer Care channels have also been restored and customers can call, chat, or submit eCases if they need assistance.”

Takeaway From the CDK Global Cyberattack

The financial and business repercussions of this attack underscore the critical importance of robust cybersecurity measures for service organizations. The CDK Global ransomware incident offers several valuable lessons, including:

1. The Necessity of Establishing Robust Cyber Security Protocols.

Cyber threats are increasingly becoming common among service organizations and software providers. Just in 2024, we’ve seen over 2,741 cases of data breach records in the U.S. This is why companies and organizations need to invest in tools and training that will ensure the safety of their systems. 

Conducting regular security audits is important as they will help you to identify weaknesses and ensure compliance with industry standards and regulations. Continuous monitoring and vulnerability assessments also make it possible to identify questionable activity early on. 

Vulnerabilities that have yet to be patched are frequent points of entry for hackers. Establishing a strong patch management procedure is also important to guarantee that all your systems are protected against known security vulnerabilities. 

2. Developing Proactive Incident Response Plans

Organizations must develop incident response plans ahead of time just in case an attack occurs. Having a response and recovery plan in place increases the chances of a business efficiently handling and recovering from these unfortunate incidents.

This response plan should include steps for immediate containment, communication strategies to notify customers and stakeholders of the incidents, and recovery processes to minimize downtime and operational disruption. 

3. Data Backup and Recovery

Regularly backups data and ensure that they are secure and separate from the primary network. This approach allows organizations to restore their systems without paying the ransom thereby significantly reducing the impact of ransomware attacks.

4. Third-Party Risk Management

As a business employing the services of a third-party vendor or service provider, always ensure that the third-party vendor you partner with adheres to stringent cybersecurity practices and industry standards. 

Before partnering with a service vendor, request to see their compliance reports and standard certifications. This is important because breaches can often propagate through interconnected networks. Review the report to analyze the state of their security and the controls they have in place. 

5. Educate and Train Employees 

Continuous training programs for employees on recognizing phishing attempts and other social engineering tactics can reduce the likelihood of initial compromise. All staff members, not just members of the IT department, should get thorough and continuous cybersecurity training that emphasizes the value of data protection, spotting possible risks, and adhering to best practices when handling sensitive data.

6. Establish a Clear Communication Channel

At the start of the attack, CDK Global didn’t have a single place where users could get regular updates on the attack and recovery efforts.

Transparent and timely communication with customers, stakeholders, and regulatory bodies during a cyber incident is important for maintaining trust and providing necessary support. Regularly updating about the situations of the systems can help to manage the expectations of customers. 

7. Partner with a Trusted Cybersecurity Provider 

As cyber threats continue to evolve and become more sophisticated and harder to detect, partnering with a trusted cybersecurity provider ensures that you have access to the latest threat intelligence and risk management strategies. This information will help in mitigating potential threats before they become incidents. 

A reputable third-party expert in cybersecurity will also help you as a service organization stay compliant with stringent regulatory requirements regarding data security and privacy (e.g., GDPR, HIPAA, PCI DSS). They also work to ensure that the data you handle is protected against breaches, leaks, and unauthorized system access.

Work with an experienced cybersecurity partner, such as IS Partners, to benefit from their expertise and experience. They have the resources, knowledge, and support to implement effective cybersecurity measures that protect your systems and keep you compliant. 

Why Do We Keep Seeing These Cyber Attack Trends in Service Organizations? 

Service organizations, software providers, and small businesses are common targets for hackers and attackers. This is because service organizations:

Lack of Security Controls

Many service organizations and small businesses need more resources to set up robust security controls. They often need more expertise or financial resources to implement and maintain security measures. Without adequate security controls, these organizations are more vulnerable to attacks, which can lead to significant operational disruptions and financial losses. 

Wide Impact Among Organizations

Attacking a service provider impacts the organization and the many businesses that depend on its services. Security issues with a third-party service provider can disrupt all businesses that rely on their services.

Bad actors increasingly target single vendors to affect thousands of their users. Service providers may feel pressured to pay the ransom quickly to prevent data leaks and ensure continued access to their systems.

Significant Value of Data

Service organizations process vast amounts of sensitive data for their customers, making them lucrative targets. The more sensitive the data is, the higher the ransom demands. A breach of clients’ data by the service company could lead to a supply chain attack, depending on the level of integration between the provider and its clients.

Stay Secure and Protect Your Systems with IS Partners

The CDK Global cyberattack shows how crucial it is to be aware of and prepared for cyber threats. This is especially true for small and medium-sized businesses, which are often targeted because they lack strong cybersecurity measures. These trends and figures should serve as a wake-up call to take data security and adherence to industry standards seriously. 

With a wealth of expertise in compliance, IS Partners provides tailored guidance and comprehensive solutions designed to elevate your cybersecurity posture. Our team conducts thorough cybersecurity risk assessments, meticulously identifying vulnerabilities and prioritizing risks to craft customized security strategies that align with your unique business objectives. 

Working closely with you, we design and implement secure and scalable security systems, ensuring robust protection while supporting your organizational growth and innovation.

By partnering with a trusted cybersecurity provider like IS Partners, organizations benefit from years of experience, implementing cutting-edge solutions and dedicated support to develop their defenses against modern businesses’ ever-changing cyber threats.

Contact us today or schedule a free consultation meeting with our experts. 

FAQs

About The Author

Mike Mariano

Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for IS Partners. Michael has 15+ years’ experience in internal IT operations with 7 years of being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). Michael has worked with/at companies from 10 to 50,000 employees in size. Prior to joining IS Partners, Michael worked as the IT Operations Manager at AVASEK an MSP IS Security firm where he managed a team of six technicians to service 1500 client endpoints as well as the firm's Cloud Hosting Solution. while at AVASEK, Michael also performed gap assessments against HIPPA and NIST Security Frameworks and was a member of the incident response team. Michael’s specialties are IT Security and IT Management. He is experienced in performing security Risk Assessments, enforcing security policies, handling confidential information, deploying and administering network and application security systems, administrating SaaS products, Active Directory (AD), firewalls, routers, and VPN. Michael is HITRUST CCSFP and AWS CP Certified and has maintained various CompTIA Certifications over his career. He is currently working to achieve his GIAC GWAP and OSCP Certification in 2020.