Is this the biggest hack in car history?

Hello! Welcome to our first Saturday edition. Today, we're discussing the CDK hack and its ramifications in car sales. 

This hack exposed a critical weakness in automotive dealerships. These companies had one system to rule them all, and the hacking showed their vulnerability.

According to many experts, the consequences are far from over. Plus, part of the case is still unresolved. This comes at a time when hacks are becoming more common. 

As always, if you want to listen to the extended version of this newsletter, remember to check out our podcast here!

SATURDAY SPECIAL

How the biggest hack in automotive history caused $944 million in losses

This hack rattled the automotive industry. Plus, it highlighted massive weaknesses. With hacks becoming more common, what can dealerships do in the future?

In June 2024, more than 15,000 dealerships in the US saw their systems shut down. In the middle of this storm, one name kept coming up: CDK.

Here’s why it matters.

What's CDK, and why is it so important?

We need to go back five decades to understand what happened throughout June 2024.

Computers proved their worth in data processing, such as tracking inventory, sales, and accounting. So, more and more sectors were adopting data processing systems that would allow them to operate more efficiently. 

In this era that preceded the 80s technology boom, the companies available were few and apart. Services were a fraction of what they are today.

However, you could still find systems for accounting and inventory. One such company was Automatic Data Processing or ADP (and it makes me wonder how much time they spent thinking about the company name). 

ADP created a Dealership division in 1973. This was after acquiring two companies, NICS and CSI (not the crime dramas on TV). 

After buying these, ADP could provide almost everything for dealerships. The services were accounting, financial reports, sales analysis, lease accounting, parts inventory control, CRM systems for sales and service, and even payroll. 

Thus, dealerships didn't have to worry about anything. They just used ADP and were home-free. That's what helped ADP Dealer Service go from a molecular-level provider to a nationwide behemoth.

This growth came thanks to acquiring more than 30 companies in 41 years, averaging almost an acquisition every fifteen months. 

This review from a Quora user, even back then, highlights how weak the IT department was, which worsened after a big moment in 2014.

That year, ADP spun off its dealer services and created CDK, which continued to grow thanks to relentless acquisitions. Meanwhile, dealerships continued to trust the system. But authorities thought otherwise. 

The antitrust lawsuit

Many antitrust lawsuits come to mind. The most famous include Microsoft (twice), Google, Bell Atlantic, and, back in 1911, the American Tobacco Company. 

These companies had grown so much that they were competitor killers, and authorities had to step in. Recent cases include the Federal Trade Commission's failed efforts to stop Meta and Alphabet (Google). 

You can read more about them here.

The same thing happened with CDK; it's only that many of us weren't aware of the company's size and power.

In 2017, CDK, along with Reynolds and Reynolds (another provider), was sued by a smaller competitor, citing that the two were creating a duopoly. Ironically, this was the second such lawsuit in a matter of days.

Previously, another company had sued the two because CDK and Reynolds and Reynolds had "agreed to no longer compete with each other's data." This created an unbeatable duopoly. 

Interestingly, CDK settled with the suing company for an undetermined sum. The case was swept under the rug.

CDK thus went back to operating challenge-free as dealerships continued to use their services. Meanwhile, the US continued to shop for cars with no hesitation. That was until June 2024. 

The cyber attack began that month, but as it unraveled, industry experts began to call out that the problem was bigger than expected. 

The cyber attack

On June 19, 2024, CDK Global announced that it was shutting down most of its systems due to "an abundance of caution.” That same afternoon, the company reactivated some systems, only to have them hacked again.

Here’s a timeline by USA Today.

CDK was forced to shut down its systems again, and this time, for longer. And so, 15,000 dealerships were left drifting powerless. With no ability to check inventory, sales, billing, or anything, these dealerships had to resort to good old paperwork. 

The problem is that the hack happened at a critical date. 

July 4 is a big day for automotive sales. Historically, automakers and dealerships have seized this date as a crucial for buyers.

The celebration of independence isn't only restrained to fireworks. People want to reclaim their freedom on the road, which generally means buying a car. 

So, it's customary to see incentives, discounts, and deals pop up around those days, although these have dropped since the pandemic, as this article by KBB states. Still, people take advantage of this date and begin surfing the web for deals, even a month before. 

The problem was that this time, there was no system. Possible buyers couldn't ask dealerships for discounts because dealerships had no data. 

This video shows the pressure that was on dealerships.

By June 21, CDK was still navigating the hack, but rumors of who was behind the attack began spreading. The name BlackSuit began to appear. It was an Eastern European cybercriminal team from a Russian-linked group called RoyalLocker. 

Their demands were simple, but not easy. They had asked for 25 million dollars. Or else. 

One day later, CDK released statements that the restoration process had begun, but it would take weeks. After that, the company dropped tiny bits of information as if leaving a crumb trail toward a truth that would never come out.

After all, the company admitted they were still struggling but working hard on a solution.  

The problem was that the company's approach to getting its systems back online seemed amateurish.

By June 28, CDK could only solve part of the problem. The reactivation of the systems was in a "phased approach" and had insisted that, by July 4, the systems would be reactivated. 

This didn't happen. Instead, results came in by July 22, 18 days after the famed July 4th date. CDK revealed that it had restored around 90% of outside software connections affected by the hack. While this is admirable, it was far from what it had initially promised. 

But had this been CDK's fault, or had BlackSuit been an extremely efficient hacking group? The answer lies somewhere in between.

The 25-million-dollar aftermath, or more?

On June 21, two days after the attack, a cryptocurrency wallet received 387 bitcoins, which was roughly $25 million.

Immediately after the bitcoins entered the wallet, 15 million dollars changed hands in a complex maze of transactions. In total, there were over 200. Then, six million dollars more landed in 15 different addresses, and by mid-July, the 25 million were gone. 

While cryptocurrency has the benefit of being untraceable, experts can still track the moves that might belong to a given wallet.

Plus, an anonymous source confirmed to Cyberscoop, a tech magazine, that the payment had been made. 

CDK had dished out the money, but what did such actions mean? Industry experts were left concerned. Days after the hack, it was easier to put the pieces together, and realize that, the company was weaker than anyone had expected. 

Kathi Kruse is an automotive blogger with extensive experience in dealerships. After the hack, she took to her blog to rip on the company. Her arguments are fascinating and poignant. 

First, she points out to these six flaws, out of which, the most crucial is there's no recovery plan. The failure to create a backup plan is critical. However, Kruse criticized a phenomenon in the automotive industry and in databases in general. 

CDK was part of a massive deal in 2022 when private equity swept in with $8.3 billion and delisted the company. Here are the details.

Here's what she had to say about this:

CDK is an ancient program — not a lot has been done to upgrade the original version for decades. This is standard operating procedure when companies/private equity buy legacy companies. Innovation is not the goal.

You can check out her blog here. 

The value of working with 15,000 dealerships is definitely much more important than keeping those dealerships safe. As for the dealerships themselves, their hands are somewhat tied.

There's an added benefit to having such a massive system. Interconnecting with other dealerships is crucial. 

Plus, migrating to another one could place them at a disadvantage, even if the current one is severely flawed.

The problem with this approach is that CDK walks away unharmed. Sure, the company might have a tiny dent in its wallet from paying 25 million in ransom. However, the dealerships face much more significant, severe consequences. 

The Anderson Economic Group estimates the hacking could lead to $944 million in direct losses to automotive dealers. According to AEG, losses could add up to nearly a billion, and these are the three leading causes. 

As the storm subsides and dealerships race to recover, it's clear that these massive systems will become much more enticing and vulnerable in the future.

Hackers around the world are looking at them. If the automotive sector doesn't want another crisis, it knows who to pressure to improve its defenses. 

NEWSBITES

Every week, we scour the web for the most essential news. Here’s what you need to know this week:

• Could pollution charges take effect in the US? London might have the answer

• Used cars keep rising in value, thanks to new cars being so expensive

• Which brand makes the prettiest cars? Here’s what KBB found out

• Remember to listen to our podcast here