The CDK global cyber attack left thousands of North American automotive dealerships inoperative after the SaaS platform was forced to go offline. The breach has been making major headlines as dealerships representing the biggest names in the automotive industry struggled to conduct business.

This breach shows the vulnerability all businesses face when working with third parties for any service. Luckily, we can learn from this story before it’s too late. In today’s newest edition of our breach review blogs, we’ll dissect the CDK cyber attack and the lessons any business can learn from the unfortunate event. 

What is CDK?

CDK Global is a prominent Software as a Service (SaaS) company specializing in solutions for automotive dealerships. Their platform helps manage the financial and operational aspects of car dealerships, serving major clients like Stellantis, Ford, and BMW. However, recent events in the news have highlighted some cyber security incidents experienced by the company.

Photo by UnSplash+ and GettyImages

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

Cybersecurity Awareness Training for ALL

Take proactive steps to invest in your business’s cyber resilience now to protect your organization from costly data breaches and disruptions. Start easily with our Quickstart Training Bundles. To learn more CLICK HERE.

What happened?

Despite CDK Global’s claim of a robust three-tier cyber security strategy designed to “prevent, protect, and respond” to cyber attacks, the automotive SaaS company has faced one of the biggest headling breaches of 2024. 

Although CDK never shared how this breach began, a client lawsuit states the cause was partly because of a lack of cyber security training for employees. With this information, we can infer that the breach likely began because of a phishing or social engineering attack conducted on one of CDK’s employees. 

CDK faced two breaches in only one day, which leaked tens of thousands of sensitive customer data including SINs, financial information, and driver’s licenses. The breaches also forced CDK to shut down its networks, disrupting the operations of its thousands of dealership clients. 

One CDK customer claimed that its dealership’s customers were coming into their location, but due to the operations disruptions, their salespeople couldn’t “close deals, can’t finance the deals, or get them to the bank.” 

CDK currently faces 8 lawsuits from different dealerships that claim the operational shutdown and data leak have resulted in revenue loss and brand reputation destruction. 

Lessons to learn

Train your employees – No matter the level of expertise 

Regardless of industry or expertise, all employees should receive comprehensive cyber security training. CDK is an expert company in handling data, so they may have expected their employees to know enough to not need much cyber security training. 

However, even employees who specialize in IT or security can have a false sense of security, and fall victim to cyber security scams. Every employee, at every level of seniority, in any industry must be trained to spot and defend against cyberattacks that may target them. They need to understand that security technologies can’t be expected to stop all attacks. That’s why it’s important to deploy engaging training that allows employees to learn and practice defensive techniques in a safe simulation environment. 

Check your access controls for sensitive systems and data

Once inside CDK’s network, the cyber criminals moved laterally across CDK’s network to access critical data and functions. Employees should only have access to systems they need to use for their job tasks. 

Check on your network architecture and access controls. If an intruder gains access to your network, can they access multiple systems freely? What do your permissions look like? Are there passwords or other measures required to gain access to sensitive systems?

Review your incident response plan and consider every stakeholder 

Develop and maintain a thorough incident response plan that considers every stakeholder. When you are creating your response plan, think about:

• The third-parties that may make you vulnerable: How you will respond if notified of a breach 
• The clients who may be impacted by your vulnerability: How will you notify them about and minimize damage from a potential breach? Plus, how you will provide help to them afterwards. 

Don’t rush

When the first breach occurred, CDK rushed to get its network back online, perhaps without having a full picture of the situation. This may have led to an inadvertent escalation of the situation. Apparently, the cyber criminals were able to attack again and access even more consumer data. A client  accurately compared this to, “a doctor stitching up a wound without first removing the debris.” 

Had CDK waited until everything was cleaned and checked before putting their system back online, they may have avoided the second attack. 

It is never a good idea to unduly rush your incident response process. Make sureall needed steps and checks are completed before bringing your systems back online again. 

Think about how your business would function offline 

Collaborate with your operations, product and support teams to discuss how your organization would function if systems went offline. 

• Where would you communicate internally? 
• How would you communicate with clients? Who would do the communication, and when?
• How would your daily sales and operations look different?

The CDK breach should be a lesson for all businesses to strengthen their cyber security training, and to review their processes and plans. CDK now faces 8 lawsuits and long-lasting reputational damage, which they may have been able to avoid with more proactive measures. By constantly reviewing and strengthening your security program, you can lessen the likelihood of it happening to your organization.