The CDK Global Cyberattack: A Wake-Up Call for Every Dealer

The automotive world stopped the week of June 18, 2024. CDK Global, the backbone dealer management system (DMS) for approximately 15,000 dealerships across North America, was hit by a double-strike ransomware attack carried out by the BlackSuit ransomware group. Showrooms went dark, service bays were paralyzed, and deal jackets were being written by hand for the first time in decades.

What Happened: A Verified Timeline

On the evening of Tuesday, June 18, 2024, CDK Global detected a cyberattack and proactively shut down its systems early Wednesday morning to contain the breach. On Wednesday evening, June 19, as CDK attempted to restore services, a second cyber incident forced another total system shutdown. This double strike left dealerships completely locked out of their DMS, CRM, and financing platforms.

The core outage lasted approximately 15 days, with CDK beginning phased restoration on June 28 and announcing that the “vast majority” of dealerships had core DMS access restored by July 4, 2024. Full functionality for all peripheral applications took several additional weeks to stabilize.

The Attacker: BlackSuit Ransomware

Multiple cybersecurity firms and federal advisories confirmed that the BlackSuit ransomware group was responsible. BlackSuit is widely considered a rebrand of the Royal ransomware operation, which itself descended from the Conti syndicate. According to reporting by CNN and blockchain analysis by researchers, CDK Global paid approximately $25 million in Bitcoin to the attackers on June 21, 2024.

BlackSuit employed a double extortion model: they exfiltrated sensitive data before encrypting CDK’s systems. This means that even after paying the ransom and restoring operations, the stolen data, which likely included customer PII, financing records, and dealership operational data, remained in the hands of the attackers. For dealers, this triggers a critical legal question around breach notification obligations.

The Financial Devastation

The impact was staggering. According to Anderson Economic Group, total direct financial losses to dealerships were estimated at over $1 billion, accounting for lost profit on new and used vehicle sales, service revenue, and parts department disruptions. J.D. Power and GlobalData reported a 7.2% decline in total new-vehicle sales for June 2024 compared to June 2023, with the outage resulting in roughly 100,000 fewer vehicles sold during the month.

Class action lawsuits were filed in the weeks following the attack, representing car buyers (data exposure), dealership employees (lost commissions and data exposure), and dealership owners (business interruption).

The FTC Safeguards Angle: Concentration Risk and Vendor Oversight

This attack is a textbook case of concentration risk: when you rely on a single vendor for your DMS, CRM, inventory management, and financing portal, their crisis becomes your catastrophe.

Under the FTC Safeguards Rule, 16 CFR 314.4(f) requires financial institutions to oversee their service providers by: (1) selecting providers capable of maintaining appropriate safeguards, (2) requiring safeguards by contract, and (3) periodically assessing their risk and the adequacy of their safeguards. CDK Global, as a service provider processing customer financial information on behalf of dealerships, falls squarely within this requirement.

Here is the hard truth: you are responsible for the data you entrust to your vendors. If CDK loses your customer data, your dealership is still on the hook with consumers and regulators. The FTC does not accept “our vendor got hacked” as a defense for failing to protect customer information.

What Dealers Should Have Done BEFORE the Attack

The Safeguards Rule, under 16 CFR 314.4(h), requires a written incident response plan designed to promptly respond to and recover from any security event. This includes business continuity provisions. Dealers who had the following in place fared significantly better:

• Vendor risk assessments documenting CDK’s security posture and contractual obligations
• Business continuity plans with manual fallback procedures for sales, service, and financing
• Alternative communication channels that did not depend on CDK infrastructure
• Offline copies of critical operational data (deal forms, customer records, inventory lists)

Immediate Steps for Affected Dealers

1. Isolate Your Network: If you have an active VPN or dedicated line to CDK, sever it immediately until they provide a clean bill of health. Do not wait for their “all clear.”

2. Monitor Your PII: Data exfiltration before encryption means your customer data is likely compromised. Assume that any data held within the CDK ecosystem is at risk and begin assessing your breach notification obligations under both federal and state law.

3. Prepare for Phishing: Expect a wave of phishing emails targeting your employees, pretending to be “CDK Support” or “Insurance adjusters” offering help. Brief your staff immediately.

4. Engage Legal Counsel: The combination of data exfiltration, the new FTC breach notification requirement (effective May 13, 2024), and the class action landscape means you need legal guidance on your specific exposure.

5. Document Everything: Every manual workaround, every lost sale, every hour of downtime. This documentation will be critical for insurance claims, litigation, and demonstrating your incident response to regulators.

The CDK attack is not a one-time event. It is a permanent lesson in why vendor risk management, business continuity planning, and the FTC Safeguards Rule exist. If your security program is built on the assumption that your vendors will never fail, you do not have a security program.