A major car dealership cyberattack has AutoNation and others struggling into a second week (2024)

Car dealerships around the U.S. are struggling to provide service as major system provider CDK Global’s core products remain down for the fifth day in a row.

CDK, which serves almost 15,000 car dealerships across North America, was first hit by an attack early morning on June 19. That forced it to shut down its systems, which are relied on by dealerships to conduct most of their routine business. Later that evening, a second “cyber incident” occurred, according to a message to customers.

CDK provides a number of services to dealerships, including online appointment scheduling, messaging tools, and e-signing, according to its website. In addition to car dealerships, CDK works with more than 1,000 heavy truck locations across the continent.

“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems,” CDK said in a statement last week. “We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.”

Although most dealerships haven’t completely closed business, activity has slowed because of a lack of access to their usual tech — and a reluctant switch to the old fashioned art of using pens and paper. A dealer in Philadelphia last week told Bloomberg News that it was struggling to accommodate customers, since they couldn’t print out repair orders or even access customer records.

Group 1, which operates 202 dealerships across the U.K. and U.S., said Monday that its U.S. operations have been disrupted by the cyber incident and that its dealers will conduct business using “alternative processes.” CDK told Group 1 that restoring its dealer management system will “require several days and not weeks.”

“Our associates are coming together with an unwavering focus on delivering the best possible customer experience,” Group 1 CEO Daryl Kenningham said in a statement. “Their efforts have been nothing short of exemplary. We’d like to thank our team, our customers, and our partners for their patience as we navigate this outage.”

Sonic Automotive, Lithia Motors, and AutoNation have said they are determining the impact of the incident on their operations. AutoNation said Friday that it “immediately” took action to protect its systems and data, noting that its more than 300 locations are open and servicing customers through alternative methods.

Penske Automotive Group said its Premier Truck business uses CDK’s systems and has implemented plans to protect its systems and operate its 48 locations in the U.S. and Canada. CarMax CEO Bill Nash last week said the company does not use CDK’s systems, although there has been a small impact on its work with some dealerships that do.

Bloomberg, citing a person familiar with the matter, reported Friday that the a group claiming to have been behind the hack has demanded tens of millions of dollars in ransom. The group has been identified as the BlackSuit ransomware gang, according to BleepingComputer. BlackSuit became widely known last April and most recently published hundreds of stolen files from a Kansas police department that it claims refused to pay its ransom.

The attack on CDK comes after the Findlay Automotive Group was hit by a cybersecurity attack earlier this month. The company has said its locations across five U.S. states were affected by the cybersecurity breach and that, while dealers stayed open, sales and service operations were hindered.

According to Malwarebytes, the number of known cyberattacks increased 68% in 2023, with ransom demands surging. The largest ransomware of last year was the $80 million demanded by LockBit after an attack on Royal Mail.

Ransomware attacks are “mostly opportunistic,” said Satnam Narang, a senior staff research engineer at Tenable. “Ransomware affiliates will target all of the fish in the sea in hopes of catching a big one because they know that’s where the biggest payout comes from.”