Cyber Incident Victim: CDK Global, LLC
Date:
Jun 2024
Location:
United States of America
Summary
A major SaaS provider for automotive dealerships experienced a significant cyberattack, forcing widespread system shutdowns to contain the incident and disrupting operations for over 15,000 affiliated businesses across North America. The attack crippled critical services including customer relationship management, inventory tracking, financing, and back-office functions, compelling dealerships to resort to manual processes like spreadsheets and paper records while some sent employees home. Though partial restoration of phone systems and core platforms occurred, full recovery timelines remain unclear amid unconfirmed reports of ransomware involvement and compromised backups. The incident raised concerns about potential network infiltration risks via always-on VPN connections, prompting advisories to disconnect those links as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 19, 2024, CDK Global, a software-as-a-service provider supporting over 15,000 North American car dealerships, experienced a significant cyberattack that forced the company to shut down most of its IT systems, including applications, phones, and data center operations. The incident began overnight, with CDK taking its two data centers offline at approximately 2:00 AM as a containment measure. The company confirmed the cyber incident in communications to customers, stating the shutdown was precautionary and that no recovery timeline was immediately available. CDK’s platform manages critical dealership operations such as customer relationship management (CRM), financing, payroll, inventory management, and service coordination, requiring an always-on VPN connection between dealerships and CDK’s data centers. Following the attack, CDK advised dealerships to disconnect these VPNs due to concerns that threat actors could exploit administrative privileges in CDK’s software—used for automated updates—to pivot into dealership networks. Initial attempts by some users to access systems using legacy credentials were unsuccessful, as core applications remained nonfunctional despite login capabilities.
The outage caused severe operational disruptions across dealerships, halting sales transactions, parts ordering, service repairs, and financing activities. Employees reported reverting to manual processes such as paper records, Excel spreadsheets, and physical notes to manage limited operations, with some dealerships sending staff home due to inactivity. Parts departments could not process major repairs, and sales teams lacked access to inventory or financing systems. Unconfirmed reports suggested the incident involved ransomware that may have compromised backups, though CDK did not publicly confirm this. The company issued a statement acknowledging the ongoing investigation and restoration efforts, emphasizing caution in reactivating systems. By late afternoon on June 19, CDK partially restored phone systems, dealer management systems (DMS), and Digital Retail platforms, with logins enabled for Unify and DMS applications. Testing continued for other services, but full functionality remained unresolved. The scale of the disruption underscored CDK’s critical role in automotive retail, with prolonged recovery timelines anticipated if ransomware infrastructure damage or data theft occurred.