Cyber Incident Victim: ADP
Date:
Jun 2024
Location:
United States of America
Summary
A major SaaS provider for automotive dealerships experienced a significant cyberattack, forcing widespread system shutdowns to contain the incident. The outage disrupted operations for over 15,000 North American dealerships reliant on its platform for CRM, inventory, sales, and financing services, leading to manual workarounds like paper-based processes and employee send-homes. Concerns emerged about potential network pivoting through always-on VPN connections, prompting recommendations to disconnect those links. While partial service restoration occurred for phones and core systems, other applications remained offline during testing. Unconfirmed reports suggested ransomware involvement with possible backup compromise, though the company's official statements focused on ongoing recovery efforts without confirming attack specifics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 19, 2024, CDK Global, a SaaS provider supporting over 15,000 North American car dealerships with critical operational software, experienced a significant cyberattack that forced the company to shut down most of its IT systems. The incident began during the overnight hours, with CDK taking its two data centers offline around 2:00 AM in response to the breach. This action disabled core services including customer relationship management (CRM), financing, payroll, inventory management, and back-office applications that dealerships rely on for daily operations. CDK confirmed the cyber incident via customer communications, stating they had proactively disabled systems "out of caution and concern for our customers" but provided no restoration timeline during initial notifications. The company's architecture required dealerships to maintain always-on VPN connections to CDK data centers, prompting CDK to advise clients to disconnect these VPN sessions as a containment measure—a recommendation cybersecurity experts linked to concerns about administrative privileges in CDK software that could enable threat actor lateral movement.
The system outage caused immediate operational paralysis across thousands of dealerships, forcing employees to revert to manual processes using spreadsheets, post-it notes, and paper records for parts distribution, repair orders, and sales transactions. Service departments reported inability to process major repairs or track inventory, while sales teams lost access to financing and digital retail platforms. Multiple dealerships sent staff home due to complete workflow disruption, with employees describing the environment as "dead vehicles with nothing to show for them" on discussion forums. CDK began partial restoration efforts by late afternoon on June 19, reactivating phone systems, dealership management systems (DMS), and digital retail platforms, though other applications remained offline pending security testing. Unconfirmed reports suggested ransomware involvement that potentially compromised backups, though CDK did not publicly confirm attack specifics. The incident's duration remained uncertain, with industry observers noting that comparable ransomware incidents typically cause multi-day outages extending through subsequent weeks when data recovery and negotiation processes occur.