CDK Global alerted its customers the cyberattack that began June 19 will idle its dealership management system in the U.S. and Canada “likely for several days.”
The shutdown is now in its third day.
“If you are not aware, we experienced an additional cyber incident late in the evening on June 19,” CDK’s June 20 note to customers said. “We continue to act out of caution, and to protect our customers, we have taken down most of our systems.
"Do not attempt to access the DMS until we can confirm the system is secure. Digital Retail and CDK phones continue to be functional. At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available likely for several days.”
The DMS giant shut down its system for a second day after experiencing another "cyber incident."
CDK's shutdown threatens to disrupt thousands of new-vehicle transactions taking place each day across the North American auto retail segment right in the heart of summer sales promotions and the industry's intense push to avoid inventory buildups on dealer lots. Moreover, the cyberattack has raised alarms about security in the DMS business after other cyberattacks have disrupted operations at casinos, financial institutions and hospitals.
CDK's DMS serves close to 15,000 dealership locations, according to its website. That number jumps to 30,000 when trucks are factored in. Now a private company, analysts believe it dominates the market by a wide margin.
In a statement issued earlier June 20, CDK said:
“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third-party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible.”
CDK said it shut down most of its systems out of caution.
"We are sorry to inform you that we experienced an additional cyber incident late in the evening on June 19th," CDK wrote to customers. "Out of continued caution and to protect our customers, we are once again proactively shutting down most of our systems."
The CDK cyberattack shutdown has potentially far-reaching implications for auto retail franchises, according to a new report from Seaport Research Partners.
“While it’s unclear what the ultimate impact is, the impact is potentially far-reaching as CDK is reportedly contracted by [15,000] dealers nationwide … with some dealers nearly wholly reliant upon it for critical functionality such as CRM, sales processing, inventory management, etc.,” the report said.
With some dealers unable to do business or left with using pencil and paper to process sales, others can’t perform service work because they can’t locate parts, according to the report.
Seaport said a business interruption such as a cyberattack typically leads to deferred, but not lost, sales. Service business, on the other hand, is usually lost. That’s especially true because of the technician shortage, with dealers lacking the ability to make up deferred service business.
Ford Motor Co., in a statement June 20, urged customers to work with their dealerships on "alternative processes" during the outage.
“Although there is an industry-wide system outage for some dealers who use CDK, Ford and Lincoln customers are able to receive sales and service support due to alternative processes available to our dealers," the statement said. "While a customer’s local dealer remains the best place for information about their sales and service needs, they can always contact the Ford Customer Relationship Center at 1-800-392-3673."
Todd Szott, dealer partner at Szott Auto Group in metro Detroit, and president of the Detroit Auto Dealers Association, said on June 20 that he is disappointed the CDK system isn’t up and running. He said his level of concern is higher today, June 20, than it was on day one of the software shutdown.
'Back to old-school'
Szott’s group uses CDK’s DMS at all five of its stores that sell Chrysler-Dodge-Jeep-Ram, Ford and Toyota vehicles. One location also uses CDK’s customer relationship management system, which is also down, so he said that store is having a bit more of a workaround.
But Szott said his stores are selling and servicing cars and dealing with what he called an inconvenience at this point.
“We're kind of going back to old-school pen and paper and we're finding other systems to do some of the things that we do with the CDK products, as well as just manual processes to continue to serve our customers,” Szott said. “We're going to have a little bit of paperwork catch-up to do when we do come back online.”
Szott said while his stores are open and doing what they can, some parts of a vehicle sale are stalled.
"In Michigan, they call it the CVR system that we use at the dealership to register plates is down and my understanding is that CDK basically runs that system for the state of Michigan," he said.
"We're not really able to finalize any paperwork on the car deal at this point. We certainly do test drives. We put deals together. We come to agreements. We can't do the final paperwork with CDK down, or we can't do the title work with the CVR system down. Now we could go to Secretary of State manually, but again, at this point, we are not hand-typing any of the final paperwork."
Other DMS impacts?
Tekion, another major DMS provider in the U.S., is unaffected by any shutdowns, a company spokesperson told Automotive News via email. At the same time, it has shut down all integrations with CDK as a precaution, said Chase Fraser, founder and managing partner of Tekion investor FM Capital.
Reynolds and Reynolds Inc., another key DMS provider and CDK competitor, said the company continues to pay close attention to cybersecurity, in general, especially after the latest attacks.
“Cyber incidents are a constant threat, and one we take extremely seriously,” said Nikhil Kalani, chief information security officer at Reynolds and Reynolds. “Cybersecurity has been a very high priority for our company for many years, as demonstrated by our acquisition of Proton Dealership IT, the industry’s leading cybersecurity services provider, and the construction of our state-of-the-art Security Operations Center.
"The reported events this week reinforce the need to keep cybersecurity a major focus throughout our entire industry.”
Erik Nachbahr, president of cybersecurity services provider Helion Technologies, said it’s not unexpected that CDK had another cyberattack a day after the first one.
“The prolonging of CDK’s systems disruption announced [June 20] is not surprising. Skilled cybercriminals often use sophisticated tools and methods to penetrate deep into their target computer systems,” Nachbahr said. “The attacker’s methods can be difficult to trace, detect and neutralize.”
Nachbahr said some of his clients can still access their CDK systems without enabling multifactor authentication, which provides advanced security protection.
“That’s a tremendous oversight,” he said.
Wednesday's chaos
The first cyberattack on CDK caused chaos throughout the U.S. auto retail segment on June 19.
The CDK attacks come a little over a week after Findlay Automotive Group was hit by a cybersecurity attack that hampered some of its sales service and operations, impairing operations for days.
A dealer in the Northeast who is a CDK customer and asked not to be identified said people may rush to criticize the DMS giant but should be mindful “that the issue is part of the world we live in today and likely to happen to them at some point. We all have to be vigilant.”
The temporary DMS shutdown had dealerships scrambling to continue selling cars and servicing vehicles. But many said business was not interrupted much.
“People these days seem to have forgotten how to use a pencil,” Ed Morse Automotive Group CEO Teddy Morse said. “We can still take the customer's information; we can still write down their concerns. We can still take a piece of paper and walk it over to the technician and get the job done.”
Allie Peters, vice president of fixed operations for Cavender Auto Group in San Antonio, said things have been rather normal on the service side at its eight rooftops. She said one of her managers early in the day asked if they should be turning customers away. She told him absolutely not.
“We’re rockin’ and rollin’,” Peters said. “But the reality is if it goes on for much longer then it gets extremely inconvenient. Right now, it’s only a little bit annoying.”
Peters said her service departments relied on other programs such as Xtime and myKaarma to check in customers and collect payments.
Repair orders were being written by hand and parts looked up online. She said once CDK is up and running as usual then those repair orders and parts purchases will have to be logged into the system.
She said some of the group’s employees have been working in dealerships long before computers.
“One of them said to everyone, ‘We’re doing this old-school today,’ ” Peters said.
A Midwestern dealership executive who asked that his name not be used because of CDK contractual requirements on information disclosure said the company first sent a message about the system being down around 2 a.m. Eastern time. A second message referring to the system shutdown as a "cyber incident" was posted around 8 a.m.
Mike Stanton, president of the National Automobile Dealers Association, said dealers are working overtime to adequately protect the data they house.
“Dealers are very committed to protecting their customer information and are actively seeking information from CDK to determine the nature and scope of the cyber incident so they can respond appropriately,” Stanton said in a statement issued to Automotive News.
Mike Martinez, George Weykamp, Gail Kachadourian Howe and Julie Walker contributed to this report.
*This article was originally published on Automotive News.