Auto retailers across the US are likely to be out of service for days following a second major cyberattack at CDK Global, the software provider that thousands of dealers rely on to run their stores.
“At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available likely for several days,” the company said in a communication sent to customers on Thursday that has been reviewed by Bloomberg.
A CDK spokesperson did not immediately respond Thursday to an email and phone message inquiring about the message it sent to customers.
CDK informed customers Thursday of the incident, which occurred late the prior evening. The company shut down most of its systems again, initially saying that its dealers’ systems “will not be available at a minimum on Thursday.”
On what otherwise would have been a busy US holiday for business, dealers reliant on CDK were unable to use its systems to complete transactions, access customer records, schedule appointments or handle car-repair orders. The company serves almost 15,000 dealerships, supporting front-office salespeople, back-office support staff and parts-and-service shops.
The outage also extended to hundreds of dealerships in Canada, with retailers relying on pen and paper to work on deals, said Tim Reuss, president of the Canadian Automobile Dealers Association. Those transactions will eventually need to be logged digitally once the systems are back online, he said.
“There’s going to be a bit of a hangover from this incident,” he said.
AutoNation Inc. led shares of publicly listed dealership groups lower Thursday, falling as much as 4.6% in intraday trading. Lithia Motors Inc., Group 1 Automotive Inc. and Sonic Automotive Inc. also slumped.
CDK is among a small cadre of companies that provide dealership management systems to auto retailers, along with Reynolds & Reynolds Co. and Dealertrack, a unit of Cox Automotive.
Dealerships reported varying degrees of impact on Thursday, with some saying in social media posts that they were unaffected by the hack. Others said they still experienced disruptions even though they used DMS systems from CDK’s rivals.
Greg Thornton, the general manager of a dealership group in Frederick, Maryland, said his stores’ CDK customer-relations software had been down since early Wednesday morning.
“I can only assume that CDK is working all hands on deck to resolve this,” said Thornton, whose group includes Audi and Volvo stores. “We’ve had no conversations with them in person or over the phone.”
Open Road Auto Group’s 19 dealerships in New York and New Jersey utilize Reynolds & Reynolds but have been unable to deliver new vehicles since the outage began Wednesday, said Michael Morais, president of the dealer group.
That’s because other CDK services outside the primary DMS are also down, including one that links dealerships with state motor-vehicle departments for titling and registration, he said.
“We’re frustrated with CDK because they should have better precautions,” Morais said.
Sam Pack’s Five Star Chevrolet outside Dallas sold four vehicles on Wednesday despite the initial outage, but has had to adapt, such as by handling some tasks on paper until service is restored, said Alan Brown, the store’s general manager. While sales staff are able to submit approvals to lenders, the outage has blocked other elements of a transaction, such as obtaining titles.
“We’re still doing business,” Brown said. “It’s just not our normal flow.”
CDK hasn’t yet provided a timeline for when its systems will be available again, he said.
The National Automobile Dealers Association said Wednesday it was actively seeking information from CDK to determine the nature and scope of the cyber incident.
CDK was spun off by Automatic Data Processing Inc. in 2014, then agreed to be acquired in April 2022 by the investment company Brookfield Business Partners in an all-cash deal valued at $6.4 billion.
— By Craig Trudell, Evan Gorelick and Kara Carlson (Bloomberg)
First incident
Thousands of car dealerships were ground to a halt during a normally busy holiday Wednesday by a cyber incident at CDK Global, a major software provider for dealers across the US.
The company “shut all systems down and executed extensive testing and consulted with external third-party experts,” Tony Macrito, a CDK spokesman, said in an email. The company’s core product — a dealer management system — and its digital retailing solutions have been restored, and CDK is testing all other applications and will provide updates as it brings them back online, Macrito said.
CDK’s systems, which many car dealerships rely on to conduct almost all of their normal business, first went down around 2 a.m. Eastern time, said Brad Holton, vice president of Proton, a cybersecurity firm that serves dealers and the auto industry.
He said CDK provided little information on what caused the outage that effectively shuttered many dealerships. Some were unable to function at all and others were forced to resort to paper record-keeping for routine services like oil changes, Holton said.
A BMW store in Manhattan told customers that it was forced to halt all new business, including scheduling appointments or car servicing. When asked how long its operations may be disrupted, a customer care representative for the store responded, “I truly have no idea.”
Other dealerships also struggled to do business. “We can’t access customer records, can’t set certain appointments. We can’t even print a repair order,” said Claire Glassmire, a receptionist at Barbera’s Autoland in Philadelphia. Employees have been using workarounds all day, said Glassmire, adding that “all our hands are tied.”
Proton’s Holton said some CDK functions began to come back online Wednesday afternoon, but others remained down and the restored services weren’t fully operational.
A spokesperson for Toyota Motor Corp. said the issue had been resolved and there was almost no impact to the Japanese automaker’s dealer network. Subaru Corp. said no impact had been reported.
“Dealers are very committed to protecting their customer information,” said Mike Stanton, president and chief executive of the National Automobile Dealers Association, adding that they are “seeking information from CDK to determine the nature and scope of the cyber incident so they can respond appropriately.”
CDK provides dealerships with services including online appointment-scheduling, electronic-signature capabilities and messaging tools between divisions, according to its website.
Investment company Brookfield Business Partners agreed to buy CDK in an all-cash deal with an equity value of $6.4 billion in April 2022.
— By Craig Trudell, Jake Bleiberg, Lynn Doan and Cailley LaPara (Bloomberg)