One click put 15,000 dealers down. It was a staggering display of vulnerability.

A single action by one individual, likely an unwitting click on a malicious link or attachment, crippled a system that 15,000 car dealerships across the United States rely on for their daily operations. This isn’t a hypothetical anymore; it’s a real-world example of how robust security measures can be circumvented at the weakest link, the human.

All the penetration testing, firewalls, and security protocols in the world won’t protect you if a single employee unknowingly opens the door to hackers.

CDK: A warning for all dealerships

In our time collaborating with independent dealers, we’ve observed that the automotive industry is not unique. Like all other industries, the types of software (DMS, CRM etc.) and systems used to run the businesses are vulnerable to the same problems that all computer systems have.

Ransomware like we saw in June is not as common, but outages are. Even a minor system outage can inflict chaos on a dealership. A server hiccup, a software bug, a power outage — these can all bring operations to a halt, leading to lost sales, frustrated customers, and a scramble to get back online.

But the June ransomware attack on CDK Global, a large participant in the dealership management system (DMS) industry, has unleashed a level of disruption and concern that we’ve never encountered before. This wasn’t just a glitch in the system; it was a full-blown, weeks-long catastrophe that appears to have cost the company at least a $25 million ransom.

It should serve as a warning for every dealer, finance company, and vendor in the industry.

Ripple effects: Beyond lost sales and profits

The consequences of the ransomware attack extend far beyond the immediate loss of sales and profits. While some early data showed a 5-7% drop in June car sales nationally, translating to 100,000 fewer vehicles sold, the true cost of this incident is far more complex and far-reaching.

—Legal risk: CDK is currently facing a barrage of class-action lawsuits from dealerships, employees, and customers who have suffered financial losses, data exposure, and disruptions to their business operations. These legal battles are expected to be lengthy and expensive, potentially costing CDK millions in legal fees and settlements.

—Reputational hit: CDK’s once-sterling reputation as a dependable and secure DMS provider has been tarnished. Dealerships associated with CDK are also experiencing a loss of trust from their customers, who are understandably frustrated by delays, errors, and the inability to complete transactions. Rebuilding this trust will be a long and arduous process, requiring significant investment in communication, transparency, and improved security measures.

—Operational chaos: Even weeks after the initial attack, a significant number of dealerships were still struggling to regain full functionality. The decryption of their data was a painstakingly slow and resource-intensive process, forcing many to resort to manual processes. This led to inefficiencies, errors, and lost revenue but also exposed these dealerships to further security risks as they rely on outdated and less secure methods.

—Financial fallout: The financial impact of this ransomware attack is immense and multifaceted. Dealerships lost sales due to the inability to process transactions, incurring additional expenses for manual workarounds and potential legal fees, and facing the possibility of lost future business due to reputational damage. In an already sensitive and uncertain economy, we expect the ripple effects of this event to bring additional financial strain to employees, suppliers, and the broader automotive industry.

—Employee morale: The stress and uncertainty caused by the outage have taken a toll on dealership employees, who are working tirelessly to maintain operations under difficult circumstances. This can lead to burnout, decreased productivity, and increased turnover, further exacerbating the challenges dealerships face in recovering from the attack and hiring in general.

The (not so) silent threat: Vendor risk and the FTC Safeguards Rule

The most alarming aspect of this incident is the fact that dealerships not directly targeted by the attack are still at risk.

The Federal Trade Commission’s Safeguards Rule explicitly states that dealerships are responsible for ensuring the security practices of their vendors. If a vendor like CDK suffers a data breach, dealers can be held liable for any resulting harm to their customers, regardless of their own security investments.

This means that even if your dealership has invested heavily in cybersecurity measures, the possibility exists that you could face regulatory scrutiny, fines, and legal action if a vendor’s security lapses compromise your customers’ data. This is a sobering reality that many dealerships may not be fully aware of, and it highlights the importance of thoroughly vetting vendors, conducting regular risk assessments, and having a robust incident response plan in place.

You need a real plan, not a dusty binder

Remember that time you bought a fire extinguisher at a garage sale for $5? It’s been sitting in your closet ever since, collecting dust. You think it works, but you’ve never actually tested it. And honestly, you have no idea how to use it in a real emergency.

Your dealership’s incident response plan is probably a lot like that fire extinguisher.

Sure, you might have one. You might have even paid someone to write it. But does anyone on your team really know what’s in it? Have you ever actually practiced using it? If a ransomware attack like the recent one or even just a day-to-day outage hit your dealership, would you be able to execute your plan and keep your business running?

If the answer is “No” or “I don’t know,” you’re not alone. In our decades of experience in automotive compliance, we’ve seen countless dealerships with “check the box” compliance solutions – they look good on paper but are useless in a crisis.

The key to surviving a cyberattack, whether it originates internally or from a vendor, is a well-crafted and regularly practiced incident response plan. This is not a document to be drafted and put on a dusty shelf; it needs to be a living, breathing part of your dealership’s culture, integrated into your daily operations, and regularly reviewed and updated.

The ‘check the box’ mentality: A recipe for disaster

Let’s be honest. When was the last time you really reviewed your incident response plan? Is it a dusty binder on a shelf, filled with generic jargon and vague procedures? Have your employees ever actually practiced it?

If you’re like many dealerships, your incident response plan is little more than a “check the box” exercise to satisfy regulators. It’s an academic exercise, not a battle plan for surviving a real-world crisis. It’s easy to fall into the trap of thinking that simply having a plan is enough. But the truth is, a plan that hasn’t been tested and refined is like a car without an engine – it looks nice, but it won’t get you anywhere. A ransomware attack like this exposes the harsh reality of inadequate incident response plans. Dealerships were left scrambling, unable to process payments, finalize deals, or even access customer information. The financial and reputational damage was immense.

Most incident response plans focus on the technical aspects of a cyberattack how to isolate systems, restore data, and patch vulnerabilities. But that’s only part of the battle. A real risk analysis and incident plan addresses the operational, financial, and reputational impacts as well:

—How will you continue to sell cars if your DMS is down? Do you have blank contracts and deal jackets on hand? Do your employees know how to calculate payments and finance charges manually?

—How will you collect payments and manage your cash flow? Do you have a backup process or system for processing payments? Do you have a plan for communicating with customers about payment options during an outage?

—How will you communicate with employees, customers, and vendors during a crisis? Do you have pre-drafted templates for emails and social media posts? Have you established a communication hierarchy?

Beyond the technical: The nitty-gritty of operational survival

While IT experts scramble to fix the technical issues, your dealership still needs to function. That means having a plan for:

—Immediate actions: A clear, step-by-step guide on what to do in the first hours and days of an attack, including isolating affected systems, notifying relevant parties, and preserving evidence. This should be a detailed checklist that can be easily followed even under the stress of a crisis.

—Communication protocols: Detailed instructions on how to communicate with employees, customers, vendors, law enforcement, and regulatory agencies. Transparency and timely communication are crucial during a cyberattack to maintain trust and mitigate potential damage.

—Data recovery: A well-defined process for restoring data from backups and ensuring business continuity. This should include regular testing of backups to ensure their integrity and accessibility, and procedures for identifying and addressing any data loss or corruption.

—Legal and regulatory compliance: A thorough understanding of your obligations under the FTC Safeguards Rule and other applicable laws, and procedures for reporting incidents, cooperating with investigations, and notifying affected individuals.

—Manual workarounds and alternate processes: This is one of the most overlooked and important sections of the incident response plan and can’t be replaced by technology. Detailed instructions for manual workarounds and alternative processes should be documented in a manner that is simple to execute that can be implemented in the event of a system outage. This might include paper-based record-keeping, offline payment processing, and communication plans for keeping customers informed.

Real-world disasters demand real-world solutions

The recent CDK ransomware attack exposed a critical vulnerability within the automotive industry: the often sole reliance on digital systems and the lack of operational preparedness in the face of disruption.

While dealerships scrambled to adapt, the incident highlighted the importance of having a robust, actionable incident response plan that goes beyond technical recovery and addresses the details of keeping a business running during a crisis.

 

Richard Hudson is the head of professional services at Ignite Consulting Partners, overseeing digital technology solutions for compliance and special projects. With 15 years of experience at automotive DMS and CRM software companies, he has extensive experience in troubleshooting and resolving technical issues, including server outages and cyberattacks. He is also an industry leading expert in furnisher requirements for credit reporting. You can reach him at info@ignitecp.com.