KC
Kapacyber
Threat AlertAuto Dealerships7 min read

Lessons from the CDK Global Ransomware Attack

On a Wednesday morning in June 2024, ~15,000 dealers lost their DMS for 2–3 weeks. Industry losses topped $1B. Here's what happened — and the 7 controls that change the next outcome.

What Happened

In the early hours of June 19, 2024, the BlackSuit ransomware group encrypted CDK Global's production environment. CDK is the largest provider of dealer management systems in North America; roughly 15,000 dealerships in the US and Canada rely on their platform.

Within hours, every CDK customer was offline. No inventory lookups, no F&I, no service writeups, no parts ordering, no payroll, no accounting. Sales floors went silent. Service drives backed up. Some stores closed. Others ran on paper for weeks.

CDK reportedly paid a ransom estimated at $25 million. Even after payment, full restoration of dealer environments took two to three weeks. Industry estimates put cumulative dealer losses at over $1 billion. Several smaller operations did not recover.

What Dealers Actually Lost

The headline number is impressive, but the operational damage was worse:

  • Inventory invisibility. Dealers couldn't look up VINs, options, pricing, or floor-plan status. Customers walked.
  • F&I paralysis. No deal jacket creation, no funding, no contract printing. Cash deals possible; financed deals impossible.
  • Service-drive backups. Estimates couldn't reference parts pricing or labour times. Warranty claims couldn't be processed.
  • Payroll disruption. Many dealers run payroll through DMS-integrated tools. Pay cycles missed for some.
  • Lender chaos. Funding portals depend on DMS data. Manual workarounds failed at scale.
  • Customer-data exposure risk. While CDK's public statements emphasised encryption, the broader question of customer-data exfiltration remained open for months.
  • Reputational damage. Local news covered the closures. Customers learned, often for the first time, that "the dealership" meant "a software vendor in the cloud."

Why Your DMS Isn't Your Cyber Safety Net

For years, dealers treated the DMS vendor as the de-facto security provider. Pay the licence, hand over the data, hope the vendor knows what it's doing. CDK rebuilt that assumption.

Three things every dealer should accept after June 2024:

1. Your vendor is your supply chain. A breach at your vendor is a breach at you, even if your network was never touched. The FTC Safeguards Rule explicitly requires vendor due diligence. So does most cyber insurance.

2. Vendor uptime ≠ business continuity. Even if CDK had fully restored on day one, dealers without a manual continuity playbook lost days of revenue. Plans, run sheets, and rehearsals matter as much as technology.

3. Customer data lives in your environment too.Most dealers store F&I scans, credit-app uploads, and customer spreadsheets locally — on file shares, SharePoint, OneDrive, back-office PCs. None of that depends on the DMS being up. None of it is necessarily encrypted. All of it is your liability.

The 7 Controls That Change the Next Outcome

You can't prevent your DMS vendor from being attacked. You can change what that means for your dealership. Here are the seven controls that separate dealers who survive a vendor outage from dealers who don't.

The 7 Controls Every Dealer Should Have

  • 1
    MFA on every account that can reach customer data — DMS, email, lender portals, RDP, VPN, accounting
  • 2
    Endpoint detection and response (EDR) on every device — not just antivirus, and not just on the front-desk PC
  • 3
    Immutable, tested, offsite backups of customer records, accounting exports, and any DMS-data exports the dealership controls
  • 4
    Network segmentation between rooftops, departments (sales / F&I / service), and any guest Wi-Fi
  • 5
    A written incident-response plan and a manual continuity playbook for "what we do when the DMS is offline for two weeks"
  • 6
    Vendor due diligence on the DMS, CRM, F&I tools, and every system in the customer-data chain — including their own incident-response posture
  • 7
    24/7 monitoring with rapid containment, so an intrusion at 2am is detected in minutes, not days

The Insurance Angle

Many dealers assumed cyber insurance would absorb a CDK-style outage. It mostly didn't. Two reasons:

  • Business interruption from a vendor outage often falls under contingent-business-interruption (CBI) coverage — which most dealer policies either don't carry or carry with very low sublimits.
  • Claim eligibility requires the dealer to have the controls they attested to. Dealers without MFA, EDR, backups, or a documented WISP found themselves in dispute with their carriers.

Talk to your broker about CBI sublimits, and make sure your application attestations are accurate. The cheapest cyber policy is the one whose claims actually pay.

The Bottom Line

The CDK attack was not a once-in-a-decade event. The broader ransomware economy is industrialised. Dealer-tech vendors are attractive targets because compromising one vendor reaches thousands of stores at once. More vendor outages are coming.

The dealers who came through CDK best had three things in common: MFA everywhere, working backups they'd actually tested, and a documented manual-continuity plan their staff had walked through. The dealers who were hit hardest had assumed the vendor would handle it.

Related reading: Our companion piece on the FTC Safeguards Rule for auto dealers walks through what your WISP must contain.

How would your dealership fare in a CDK-style outage?

Get a free assessment. We'll map your seven controls, your continuity plan, and your vendor exposure — and show you exactly what to fix first.

Get Free Assessment
← Back to Security Insights