CDK Global has suffered a second cyber attack, days after another cybersecurity incident forced thousands of auto dealers to halt operations after losing access to their data when the SaaS provider shut down the affected servers.
Over 15,000 car dealerships rely on CDK Global’s software-as-a-service (Saas) platform that hosts a suite of applications, including payroll, auto financing, customer relations, support and service, and inventory management. Brookfield Business Partners acquired publicly traded CDK Global in 2022 for $6.41 billion, making it private.
The subsequent cyber incident forced CDK Global to shut down previously restored systems. Shortly after, the company restored the impacted systems, only to disconnect them again.
“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third party experts, we are assessing the impact and providing regular updates to our customers,” CDK said on Thursday morning. “We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.”
More disruptions expected from the CDK cyber attack
CDK has shared limited information regarding the nature of the cyber attack, including whether ransomware was involved. So far, no threat group has claimed responsibility for the cyber attack and CDK has not confirmed receiving ransom demands.
Similarly, the attack vector the cybercriminals exploited to breach CDK remains a mystery, although customers suspect the always-on VPN. They also fear the attackers could exploit the VPN, which has administrative rights, to spread laterally across their internal networks.
Subsequently, CDK has advised auto dealers to take proactive security measures, including disconnecting the always-on VPN, as a matter of precaution.
Although CDK was working to get auto dealers “back to business as usual as quickly as possible,” it warned that the cyber attack could take days to resolve.
“At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available likely for several days,” said the company.
“It hasn’t been released what type of “cyber incident” this is, but there’s a good chance it’s related to ransomware,” said Roger Grimes, Data-Driven Defense Evangelist at KnowBe4. “When more details are released, I hope part of the details include how the cyber threat made its way into CDK’s systems (e.g., social engineering, unpatched software or firmware, etc.). Because in order to mitigate future occurrences you need to start with how the current incident was caused.”
Auto dealers severely impacted by the CDK cyber attack
While auto dealers could resort to manual systems to minimize the impact of the cyber attack, they cannot access previous negotiations and deals, which are usually backed by data.
Similarly, the supply of auto parts, vehicle registration, and auto financing are tightly coupled with the impacted systems. While some continue to sell using pen and paper, they have to manually send vehicle registration paperwork to the Secretary of State instead of uploading it via CDK systems.
Additionally, the safety of customer data, including their financial data, concerns many auto dealers who collect vast amounts of personal information that is highly sought after by cybercriminals.
“This incident highlights the heightened vulnerability of customer data due to the widespread reliance on third-party software providers like CDK for operational management,” remarked Nick Tausek, Lead Security Automation Architect at Swimlane.
Other auto dealers had to send their employees home early because they could not sell or schedule service appointments or order parts. A BMW North America spokesperson told Reuters the cyber attack has affected auto dealers in both the United States and Canada.
Similarly, the National Automobile Dealers Association said it was “seeking information from CDK to determine the nature and scope of the cyber incident so they can respond appropriately.”
Other CDK customers took to social media to complain about the software outage, with some confirming resorting to pen and paper to circumvent technical difficulties.
“This current event is a strong indicator that as technology has advanced, as managed services and applications have continued to rise and become adopted, the impact of cyber-attacks has a much greater reach than before,” said Colin Little, Security Engineer at Centripetal. “It’s no longer a single company and their customers, it’s tens of thousands of companies, their employees that sell and fix vehicles, and the manufacturing companies that make vehicles and parts that are not being sold.”