The Impact of the CDK Hack Will Take Years to Play Out

The Impact of the CDK Hack Will Take Years to Play Out

June 27, 2024 — Late Thursday afternoon, CDK Global began rebooting the systems for a test group of dealers, following a two-pronged cyber attack more than a week ago.

(UPDATED July 11 — According to a CNN report, CDK likely paid a ransom of $25 million to the hackers on June 21 — in numerous conversations with industry folks since the hack, TBR estimated the ransom would be no more than $25 million, based on our research detailed further in this report).

Following yesterday’s successful test, CDK plans to implement a phased restoration of its systems for its dealers. Barring any unforeseen setbacks, a full restoration should be complete over the next several days.

The ransomware attack, which apparently occurred in two phases on the evening of June 18 and again on June 19, sent shockwaves through the industry, shutting down approximately half of the nation’s new car dealerships. The impact of the attack will be an ongoing story that will take years to play out.

Approximately 9,000 to 9,500 new car dealerships in the U.S. (about half of the market) use CDK’s dealer management system. (That number is an estimate based upon various industry reports and what CDK reported in its SEC filings prior to Brookfield Partners taking it private in mid-2022).

CDK also claims on its website about 15,000 of the industry’s 18,200 dealerships use at least one of its solutions, which include the DMS, digital retailing, CRM, finance and insurance, fixed operations, and network communications.

CDK also counts 1,000 heavy truck dealerships as clients and provides vehicle and titling services via its Computerized Vehicle Registration (CVR) solution, which processes nearly 15 million vehicle transactions and more than four million DMV inquiries annually across 17 states.

OEMs and other technology vendors use CDK for data integration and transfer. According to CDK’s website, the company manages at least two petabytes (2,048 terabytes) of data for the auto retail industry.

The six publicly traded dealer groups (about 1,100 dealerships) use CDK as their primary DMS and technology provider and have informed investors in the last few days that the attack on CDK will impact their operations. The Penske Automotive Group, whose new car dealerships are on Reynolds and Reynolds, uses CDK as its primary technology vendor for its heavy truck dealerships.

THE IMMEDIATE IMPACT

Dealerships

For dealers on the CDK system, everything that had been automated for nearly two decades is now being done by hand and on paper, which has slowed operations down significantly. (Read more here about the impact on dealerships).

Business offices are filling out paperwork and deals by hand, then handing them to runners who drive them to the state DMV offices—most of which have had to create new processes to handle titling and registration by paper. On the surface, it sounds simple. But life is seesawing between severe inaction and intense activity inside the impacted dealerships.

On the fixed operations side, dealers also have to complete warranty paperwork by hand, causing several OEMs to extend deadlines for dealers filing warranty claims.

The operational impact felt in dealerships should be short-term—likely two weeks at most—while the financial impact will likely take longer to work out.

Over the next few months, dealers will feel the pain of stricter compliance regulations that are taking effect this year, along with what will likely be higher cybersecurity insurance premiums.

The Banks Report has also learned of several buy-sell transactions that have been delayed due to the cyber attack.

This attack, though, should be a wake-up call for dealerships. In 2014, The Banks Report predicted the auto retail industry would become a new front in the cyber security war and that ransomware attacks on dealerships would become more common.

In the last 10 years, The Banks Report estimates ransomware attacks on dealers number in the hundreds, representing millions in lost revenue. The most recent attack came just days before CDK’s incident when a hacker took down the 35-store Findlay group. The attacks will probably increase in number and intensity in the coming months.

Overall, for the industry, at least from a sales perspective, a joint J.D Power and GlobalData Plc forecast this week predicts that dealer software system disruptions should be rectified by July, with most of the lost June sales recovered within the month.

While certain analysts have pegged total revenue loss to be as high as $16 billion, it is hard to put a dollar figure on what that number will end up being — although, it will probably much lower. Whatever car sales or repairs that did not happen this month, will be pushed to next month, or captured by other dealers. Increased security and financial audits will add to the financial impact over the next several months — and likely years.

Vendors

Unfortunately, third-party vendors will likely experience a financial hit over the next several weeks, as dealers impacted by the CDK outage will use it as an excuse to delay payments for the next couple of months.

Vendors will also have to spend money auditing their systems to prove to OEMs and dealers that they are taking the necessary steps to mitigate possible cyber attacks.

CDK Global

The long-term impact on CDK’s future is a chapter that has yet to be written. It is undoubtedly a huge black eye for a company that has been leading the charge on dealership security for the last several years.

Clearly, the shorter the outage, the less impact it will have on CDK’s business.

CDK should survive this event. It is the industry leader with a solution that is painful for dealers to change. The DMS is the dealership’s technology backbone. Conversion to a new platform is difficult for employees and often happens only if a dealer believes a move will provide significant financial benefits.

The industry has few competitors in the DMS space. Based on our estimates, the industry can handle about 150 to 175 conversions a month without straining the entire system—and that assumes every company is fully staffed and operating without any hiccups when transitioning dealers to a different system. It is hard to see a mass migration or loss of customers over the next several months, but time will tell.

The bigger loss likely will come from CDK’s CRM solution, eLead. But certainly, CDK’s main competitors, Reynolds and Reynolds, Dealertrack, and Tekion, are putting on the full court press to lure dealerships over.

The expected revenue loss from the cyber attack will also hurt or delay Brookfield Business Partners, CDK’s owner, plans to craft an attractive exit in the next couple of years. The hack will also impact M&A activity throughout the industry. It will certainly increase the scrutiny potential investors and buyers exert on acquisition targets. Cyber security likely will become as important margin growth is today.

(Updated 6/27/24) The prevailing question seems to be whether this attack pushes CDK into a possible bankruptcy. Hard to predict based on the limited information we have today, but it seems unlikely. The few companies in the last couple of years that have declared bankruptcy following a ransomware attack, were already under significant financial pressure.

Here is what we do know:

  • CDK’s customer relationship management solution, eLead, lost one of its biggest clients to a competitor in the last few days, due to the ransomware attack.
  • DMS competitors are reporting numerous CDK clients are reaching out to explore switching providers.
  • CDK was already under pressure from some of its largest clients before the attack last week. Earlier this year, the Asbury Automotive Group announced it would begin testing Tekion’s DMS at a limited number of stores in the third quarter. In February, as part of its acquisition of the Pendragon dealership group in the United Kingdom, Lithia Motors created a joint venture with Pinewood Technologies, saying it intends to co-develop a DMS for the U.S. market. The Banks Report also has learned of another large dealer group that intends to test the Tekion DMS in the near future.
  • At least six lawsuits have been filed in Illinois’ Northern District Court since June 22 (the most recent was filed this morning), due to the cyber attack. This is just the beginning. Expect several more lawsuits to be filed in the near future. On another note, the CDK knows the Illinois Northern District Court well. It is still engaged as a defendant in a multi-district litigation (MDL) class action suit filed by a few dealers in 2018 claiming CDK had violated antitrust regulations (CDK has settled with most of the plaintiffs. Reynolds and Reynolds, also a defendant in the litigation, has settled with all of the plaintiffs).
  • In addition to paying potential lawsuit settlements, CDK will experience a significant financial hit as dealer clients will seek to recoup revenue lost due to the interruption of their businesses.

Here is what we do not know:

CDK has yet to confirm if the hackers were able to download any data from its systems. It is a key question because the answer will determine much of the overall financial impact on the firm, including lawsuit settlements, insurance premiums, and loss of clients.

We also do not know the ransom CDK likely had to pay to regain access to its systems. CDK has not confirmed the identity of the alleged hacker but various media reports quoting CDK sources this week claim BlackSuit, a new group operating in Eastern Europe, is the perpetrator. (Read more about BlackSuit here.)

Several social media posts this week claimed that CDK has paid between $70 million and $1 billion in ransom fees. We have yet to find any ransomware payments that come close to those numbers. We do not know what CDK paid — or if it even paid the attackers. And it is possible CDK will not disclose publicly whether — or how much — it paid.

Below is some context of recent ransomware payments:

1. United Health Care, a $281.4 billion company, paid $22 million this year to the hacker that allegedly attacked its subsidiary Change Healthcare in February. (CDK is a $1.5 billion company — owner Brookfield Partners generated approximately $55 billion in revenue last year).

2. Multiple companies impacted by the recent Snowflake breach are reporting being asked for anywhere from $300k to $5 million.

3. Black Basta, which has been involved in more than 500 alleged attacks since 2022, is estimated to have earned just over $100 million in ransom fees. (That number likely does not include the dollar amount—if any—that Ascension Hospital system paid from the attack on May 8.)

4. Akira, alleged to have initiated more than 250 attacks in the last couple of years (including Nissan in 2023) generated an estimated $42 million in ransom fees.

5. (Updated 6/2724) The highest ransomware payment The Banks Report has seen is $40 million paid by CNA International to the Phoenix Group in 2021. CNA reportedly negotiated the final payment down from the original $60 million demand.

6. According to CDK’s The State of Dealership Cybersecurity 2023 report (yes, we see the irony), 17% of the 175 dealerships surveyed were victims of a cyber-attack last year, several of which include ransomware attacks. Dealers reported paying an average of $740,144 in ransom payments in the second quarter of 2023, up 125% over the average paid in the first quarter of that year.

7. (Updated 6/27/24) According to a comprehensive study published by cybersecurity firm Sophos (the study provides fascinating data on the state of ransomware attacks today and is well-worth the read), the average ransom paid in 2023 was $1.54 million, more than double the average payment in 2022. That number now is nearly $4 million.

For now, the industry in the midst of the fallout. CDK is still at the early stages of bringing dealerships back online. We do not know if another attack — on either CDK or other vendors — is lurking. So many questions and few answers…



Sorry, comments are closed for this post.



Subscribe Now to The Banks Report