Car dealerships in North America are still wrestling with major disruptions that started last Wednesday with cyberattacks on a company whose software is used widely in the auto retail sales sector.
CDK Global, which provides software to nearly 15,000 auto dealers in the US and Canada, was hit by back-to-back cyberattacks, and they have continued to have an impact at dealerships trying to salvage their operations.
For prospective car buyers, that’s meant major delays at dealerships, vehicle orders for purchases and repairs written up by hand and tracked on spreadsheets. And there’s no immediate end in sight, as CDK says it expects the restoration process to take “several days” to complete.
A cyber ransom event
Three dealership chains, AutoNation, Group 1 Automotive Inc., and Lithia Motors, said in separate government filings Monday that they use CDK in the US and are employing such workarounds to keep their stores open. Other dealership operators, including Sonic Automotive and Penske Automotive Group, have previously said they were affected.
A CDK statement on Saturday said it was recovering from a “cyber ransom event”. In a note to clients Saturday, the company acknowledged that hackers who had taken down its dealer management system (DMS) were demanding a ransom to restore systems.
“Thank you for your patience as we recover from the cyber ransom event that occurred on June 19th,” CDK said in a memo to clients on Saturday, according to a copy of the email obtained by CBS MoneyWatch.
Even if the ransom is paid, the criminals could still release some or all of the private information, and there’s no guarantee CDK will get most or all of its data back, which is always the risk of paying a ransom.
CDK spokeswoman Lisa Finney on Monday reiterated a previous statement to the WSJ that the company has begun a “restoration process” that it expects will take several days, noting that the company had launched an investigation into the “cyber incident” with third-party experts and notified law enforcement.
“Based on the information we have at this time, we anticipate that the process will take several days to complete, and in the interim we are continuing to actively engage with our customers and provide them with alternate ways to conduct business,” she added.
CDK has also set up interactive voice-response lines for customers to obtain information about the ransomware attack that has disrupted operations at its customers’ organizations. A message on that system from CDK warns that threat actors are contacting automobile dealerships, claiming to be from CDK, and trying to gain deeper access to the dealerships’ systems.
Preparing for the cyber event
It’s easy for all of us to sit back and offer criticism and lessons based on yet another cyber attack – attacks that keep multiplying in number, thanks to the rising prevalence of hackers, their increased sophistication, and the ease of selling stolen assets over the dark web.
But executives at the dealerships pointed to issues that could have been handled better. The WSJ quoted Chris Lemley, president of Sentry Auto Group, which sells Ford, Lincoln and Mazda vehicles at dealerships in New England. He said CDK’s response to the crisis has been one of its most frustrating aspects.
“The emails they sent to customers were simply signed ‘CDK Customer Care,’ as if their executives were all too afraid to put their name at the end of an email,” he said. The messages tended to contain the same basic information, he noted, with no new details in real time.
Indeed, he first learned the attack likely involved ransomware via news accounts and not the company.
With that said, the dealerships themselves should have plans in place for these types of occurrences, and (as also noted below) the whole situation makes one wonder if too many dealerships are relying on one vendor – bedrock third-party risk management features.
The DMS was so crucial to business operations – from ordering parts to bank loan origination for purchases – that it gave the impact of the cyberattack a much greater reach.
Resorting to manual processes to maintain business continuity is one solid solution, obviously. But what other solutions could have been available, had business continuity processes prepared these businesses for a (sadly) not-rare cyberattack?
Some companies used alternate computer systems that introduced significant delays, likely because they had not been upgraded or tested or designed to function for this many days and a good number of orders.
In their regulatory filings, Group 1 Automotive Inc, Lithia Motors and AutoNation described some of the smart steps they took to stem the damage.
Group 1 Automotive Inc said that it took measures to protect and isolate its systems from CDK’s platform. Lithia said it activated cyber incident response procedures, which included “severing business service connections between the company’s systems and CDK’s.”
And AutoNation said it also took steps to protect its systems and data, adding that all of its locations remain open “albeit with lower productivity,” as many are served manually or through alternative processes.
All businesses must consider how dependent they are on one vendor – or even on one type of management system, since this DMS was used for every functionality. “Even stocking a vehicle, you can’t do it without the DMS system. So it is a disaster,” one CEO told Bloomberg. The DMS was so crucial to business operations – from ordering parts to bank loan origination for purchases – that it gave the impact of the cyberattack a much greater reach.
One idea: The businesses could have accessed industry associations for greater assistance and engaged with them prior to these disruptions to prepare, perhaps by having a collective commitment to keeping each other informed and sharing best practices. (This can be done through organizations like the CISO Executive Network and others on a routine basis.)
Ongoing strategizing
Hackers are attacking critical infrastructure providers so they are not able to operate – which is how the cyberattack on billing and payments operator Change Healthcare, an enormous player in the healthcare sector and owned by United Healthcare, caused disruptions at a large number of clinics, billing companies and pharmacies. (Again, illustrating vendor over-dependence.)
Businesses need to learn from the crises affecting others and the ones they face personally; in the meantime, they can consider doing the following:
- making sure larger business continuity and contingency plans include such scenarios as this one;
- retaining back-ups for vendors and critical technology;
- investing in security technology and skilled, in-house personnel;
- having sufficient cybersecurity insurance coverage; maintaining customer trust with a clear plan of action and well-crafted communications;
- doing the drills before the actual event occurs to test safeguards and revisit permissioned access rights;
- having an incident response team and plan so you know who does what in the crisis and when;
- working with law enforcement and experts, for many reasons, including that they might know about how these hackers operate and to ascertain exactly what was compromised, and whose data was compromised, since those people will need to be notified;
- strictly vetting vendors for their cyber resilience on an ongoing basis; and
- communicating with the right internal and external experts about any threats of litigation and about meeting cybersecurity regulations as a regulated business.
The hackers are to blame here. But these situations offer a chance to regroup as businesses and consider vendor dependencies, workarounds, testing, communication practices, skillsets and risk-management protocols to uncover existing risks and the steps they must take to improve security and responsiveness and get back to making a profit.