CDK Global suffers second cyberattack after breach crashed thousands of car dealerships

Alleged ransomware attack forces SaaS provider for the automotive sector to take down its systems, causing dealers to potentially miss out on car sales

Auto retailers across the US suffered a second major disruption in as many days after another cyberattack at CDK Global, the SaaS provider thousands of dealers rely on to run their stores.

An initial attack occurred on Tuesday, causing CDK Global to shut down its IT systems and applications to limit the impact of the attack.

CDK then managed to bring its Unifi modern login service back online and get other services up and running, before a second attack took place on June 19th.

"We are sorry to inform you that we experienced an additional cyber incident late in the evening on June 19th," it wrote, according to BleepingComputer.

"Out of continued caution and to protect our customers, we are once again proactively shutting down most of our systems. We are currently assessing the overall impact and consulting with external 3rd party experts."

CDK's cloud-based platform is used by major American car dealerships, including General Motors, Group 1 Automotive and U.S. Holman, to manage back-office operations, payrolls, CRMs and other logistics operations. The CDK website says it is "trusted" to serve 15,000 dealer locations.

A Reddit thread called r/serviceadvisors claimed the incident started with a ransomware attack - although this has not been confirmed. It has also been claimed that CDK was forced to take two of its data centres offline due to the breach. Again, this is also unconfirmed.

Cyber security experts have questioned whether the SaaS platform's always-on VPN log-in system may have been a vulnerability that contributed to the attacks.

After the first incident, CDK reportedly sent an email to clients which said: "We experienced an additional cyber incident late in the evening on June 19th. Out of continued caution and to protect our customers, we are once again proactively shutting down most of our systems."

"We are currently assessing the overall impact and consulting with external 3rd party experts. At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available at a minimum on Thursday, June 20th," the email reportedly added.

In a statement provided to Bloomberg, the company reiterated that it had “shut all systems down, executed extensive testing, and consulted with external third-party experts.”

According to car dealership owners and service providers on X, the company has not been able to get its systems live, as its backup data centre was impacted too.

Confirmed details on the nature of the attack remain sparse, and The Stack will update this story as they emerge.

See also: Ransomware earns scumbags $1 billion in 2023

This is the second cyberattack on car dealerships in recent weeks. Findaly Automotive Group was impacted by a cyberattack that compromised its systems on June 11th. Two of its customers have since filed a class action lawsuit, accusing the company of not taking enough precautions to protect their personal data.

In February 2024, UK-based car dealership JCT600 also suffered a cyberattack that prompted the company to take its systems offline.

A report from Security Online notes that car dealerships are increasingly vulnerable to cyberattacks. It estimated that dealerships' average ransomware payouts worked out to $228,125.

If the incident involves ransomware, the fee demanded of CDK Global could be much higher, since it is a SaaS firm with a multi-billion dollar valuation.

Get the latest episodes directly in your inbox