“As the incident is ongoing, the full scope, nature and impact of the incident is not yet known”: AutoNation today.
ByWolf RichterforWOLF STREET.
When the $8.3 billion acquisition of auto-dealer software provider CDK by a PE firm under Brookfield Asset Management was completed in July 2022, the mergers & acquisitions firm, Paul Weiss, which had advised CDK on the deal, said in a now ironic press release: “The deal will allow CDK to continue to elevate the dealer and consumer experience when selling, buying or owning a vehicle.”
Less than two years later, last Wednesday, CDK’s customers, including the biggest auto-dealer chains in the US, watched helplessly as a ransomware attack shut down CDK’s cloud-based software system, depriving all of its customers – 15,000 dealerships in total – of the most basic daily tools to run their new and used-vehicle sales operations, their parts and service operations, their inventories, their back-office operations, customer contact systems, loan applications, etc.
Dealers have resorted to writing up sales orders and service orders by hand, then hand-typing all this into spreadsheets or whatever, to track it somehow, hopefully not making the situation even worse by adding typos into VINs, repair order numbers, names, and other key data. Then, someday, when the system is up and running again, they hope to re-type – or maybe copy and paste? – all this from spreadsheets into the CDK software system, praying all along the way to not make the situation even worse by introducing more typos into key data.
The publicly held auto dealers – there are not many, but they’re huge, with lots of big dealerships around the country – have started to warn about the still unquantifiable consequences. And this could ripple across the economic data for Q2.
AutoNation [AN], the largest dealer chain in the US, said in an SEC filing today that it had been notified on June 19 that CDK, “was experiencing a cyber incident impacting its systems, including the systems necessary to support our dealer management system (“DMS”), which supports our dealership operations, including our sales, service, inventory, customer relationship management, and accounting functions.”
It said its stores remain open, “and we are continuing to sell, service, and buy vehicles, and otherwise serve our customers, through manual and alternative means and processes, albeit with lower productivity.”
“As the incident is ongoing, the full scope, nature and impact of the incident is not yet known,” it said.
Group 1 Automotive [GPI] said in an SEC filing today that “all Group 1 U.S. dealerships continue to conduct business using alternative processes until CDK’s dealers’ systems are available.”
“CDK has advised that it anticipates the restoration of the dealer management system will require several days and not weeks. The timing of the restoration of other impacted CDK applications remains unclear at this time,” it said.
“Group 1’s ability to determine the material impact, if any, of the CDK incident and the resulting service outage, will ultimately depend on a number of factors, including when, and to what extent, the Company resumes its access to the CDK’s dealers’ systems,” it said.
Lithia Motors [LAD] said in an SEC filing today, “The Company, whose dealerships continue to operate, has implemented mitigation plans to minimize disruptions and continue serving its customers. While this incident has had, and is likely to continue to have, a negative impact on the Company’s business operations until the relevant systems are fully restored, the Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
Sonic Automotive [SAH] said in an SEC filing on Friday, “All of the Company’s dealerships are open and operating utilizing workaround solutions to minimize the disruption caused by this CDK outage.”
“As the incident is ongoing, the full scope, nature and impact of the incident, including the extent to which the threat actor accessed any customer data, are not yet known,” it said.
“While this incident has had, and is likely to continue to have, a negative impact on the Company’s business operations until the relevant systems are fully restored, the Company has not yet determined whether the incident is reasonably likely to have a material impact on the Company’s financial condition or results of operations,” it said.
Penske Automotive Group [PAG] said in an SEC filing on Friday that its consumer-brands of dealerships were not using CDK’s software, and were not impacted, but its 48 heavy-truck dealerships were. The commercial truck dealership business – selling primarily Freightliner and Western Star trucks – “has lower unit volumes than the automotive dealership business and principally serves business customers,” it said.
CarMax [KMX], the largest used-vehicle dealer in the US, said during its earnings call on Friday that it does not use CDK and wasn’t directly impacted by the hack, but that it works “with a lot of other dealers” to get parts to repair vehicles, and if their systems are down, there would be a “minor” impact on CarMax, and “there is a little impact on title work as well. But I would say it’s just minor in the scheme of things as far as the impact on us,” CEO Bill Nash said.
Impact on economic data for Q2: The industry is now heading into the last few days of the second quarter for purposes of the closely-watched reporting of deliveries of new vehicles to customers. Deals that got hung up could prevent the vehicle from being delivered by the quarter’s cut-off date, which may ripple across all kinds of Q2 economic data. Vehicle retail sales are an important factor in consumer spending.
CDK shrouded itself in opacity about the nature of the hack. Emails to dealers have called this event a cyber incident and cyberattack. On Friday, Bloomberg reported that this was a ransom attack. On Saturday, CDK admitted that it was recovering from a “cyber ransom event.”
Today, Bloomberg reported, citing the security firm Recorded Future, that the attack had been undertaken by hacking group BlackSuit. “The cybercrime group has demanded an extortion fee in the tens of millions of dollars from CDK, which plans to make the payment,” Bloomberg said.
There is still no information if the hackers were able to get the data of the effected dealerships’ customers, such as the data on applications for car loans.
Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.
