The cyberattack testing a trillion dollar industry

On this special edition of the CDG podcast, Car Dealership Guy Founder/CEO Yossi Levi hosted a live panel discussion on X that over 4,000 viewers tuned in for. This panel was designed to dive into all things concerning the CDK Global outages, including the current state of play for dealers, operational workarounds, and what could be coming down the pipeline in the coming days/weeks. 

Meet the panelists:

• Andrew Wright, Dealer Principal of Vinart Dealership Group

• Brad Miller, Chief Regulatory and Compliance Officer and Head of Legal for Comply Auto 

• Brian Kramer, Executive Vice President at Cars Commerce and General Manager of Accu-Trade

• David Spisak, automotive consultant and President/CEO of Disruptive Growth Solutions

• Melissa Kuipers Blake, State and Federal Lobbyist and Lawyer

• Todd Caputo, automotive consultant and President of Todd Caputo Consulting 

• Yaron Rosen, CEO of FUSE Autotech

Stream the full episode now: YouTube | Spotify | Apple

Car Dealership Guy News - The #1 source for concise and unbiased car industry news. Stay informed with the most relevant and interesting stories by visiting cdg.news.

CDG Job Board - Connecting world-class talent with top-notch companies in Automotive. Find your next role—or start hiring today—at CDGJobs.com.

Interested in advertising with Car Dealership Guy? Drop us a line here.

Want to be considered as a guest on the podcast? Add your name here.

(00:00) - Introduction and context

(01:21) - The timeline

(04:00) - Experiences on the ground

(07:51) - Technical takes on how this hack could have happened

(23:55) - Regulatory expert takes on how detrimental each day of shutdown is

(43:30) - Impacted dealer experiences & Potential governmental intervention 

(01:03:41) - Audience Q&A

1. One of the biggest concerns.

David kicks things off by discussing the impact that these outages will have on dealership personnel. One of the biggest things he’s hearing on the ground floor of dealerships is that, as the end of the month nears, dealership staff members are concerned about the timeline and accuracy of their income. Many of these positions are paid out based on variable performance and rely on sales and service consistency to earn the living they are accustomed to.

2. A spear phishing attack

From Yaron’s perspective, this is a memorable moment for the auto retailing industry. “I think it’s nothing less than automotive’s software ‘black swan.’ I think this is a moment that has a whiff of COVID-19.” In his opinion, this attack will likely change how auto retailing professionals consume software inside dealerships moving forward. The attack was a sophisticated one, he says, and CDK is likely still negotiating with the group responsible. Yaron speculates that these criminals likely got into CDK’s systems via company credentials, often called spear phishing. Once the attackers are inside, they use an extortion tactic by locking down hardware. Then, negotiations begin. CDK has stated that systems will likely come back online within several days. But Yaron is skeptical. In his experience, these kinds of negotiations typically take weeks.

3. Rethinking dealership technology.

What’s more important, Yaron says, is what the auto industry takes away from this event. “What needs to change is the grand architecture and how dealerships organize and build and a much safer architecture of how they consumer parts that power the dealership,” he says. Yaron recommends that dealers should build architecture with three isolated and segregated parts: CRM, DMS, and point-of-sale systems.

4. On the regulatory side of things

Brad says that the tie-in under U.S. law is generally with respect to customer data. It’s important to understand that dealers are the regulated entities, he explains. Dealers are the financial institutions under federal law and the controllers of data under state privacy laws. Even though the ransomware attack on CDK, the vendor, the technical legal obligation falls to dealers. Dealers may also be required to notify the FTC. Under new additions to the Safeguards Rule, the notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected as well as additional information. Brad says this will occur if unencrypted customer data is involved, which hasn’t been determined as of this panel. It’s important to note that dealers have 30 days to send this notice since the ‘discovery’ of the incident. 

5. Safeguarding consumer data and sales reporting.

The criminals behind this incident are professionals. If they are also holding customer data ransom, they could extort CDK twice (once for systems and once for data). Even then, there is no guarantee that the data will not be resold again on the black market, says Brad. If this cyber incident is not solved over the coming days/weeks, Andy says that the stair-step programs many OEMs provide to help dealers maintain their profitability will be in jeopardy, if sales numbers can’t be reported accurately. He says it’s just one of many unforeseen byproducts of this situation. 

6. A real eye-opener.

Brian Benstock’s dealerships have been impacted by the outage, but he hasn’t stopped operations like other stores. His team is focused on making this hurdle seamless for the customer. “No one has walked into Paragon and asked me, ‘Who is your DMS provider?’ he says. It doesn’t matter to the buyer. He says his accounting team will be experiencing the most challenges in reconciling paperwork and ensuring the dealership is financially accountable for deals. As far as digital security is concerned, it’s been a real “eye-opener” for Brian. He adds that the stores are taking steps to separate the CRM and the DMS to be isolated entities. 

7. What could happen next

Melissa points out that automotive retailing is one of the most highly regulated industries in the country. From her point of view, governments tend to be reactionary in these types of circumstances. “What we don’t want, is for to this drag on to where the government would feel the need to intervene,” she says. “We want this to handle itself so consumers, businesses, and dealers can have a say in how this happens.” Although, Melissa does expect at least a hearing at the federal or state level about this. 

8. Are dealerships insured for this?

Brad explains that the total paid out in ransomware attacks last year was $1.1 billion. He presents the scenario of a dealership with a $10 million policy. Each instance of a consumer data breach could cost a dealer $35,000. Multiply that by a measly 300 records and the policy is spent. Todd adds that there will be a ripple effect when it comes to business interruption insurance. From his perspective, dealers are getting by in light of the circumstances and consumers will likely see wait times extend a bit.  

9. Moving forward better prepared

Yaron encourages dealers to realize that this situation will take time to resolve. “Transition into a different mode of operation and the other thing I’m taking away from this is how to safeguard business continuity,” he says. The trick will be reformulating the technology architecture of the dealership to still align with a seamless and efficient car buying process for consumers. 

10. What this means for dealership staff.

Brian Kramer says that losses for dealers will mostly be time-related costs. This period could require dealership staff to stay a bit later than usual. Doing things manually often means redundancies which can cause new business development, as older business becomes the primary focus, he says. Brian Bentock adds that dealers have to make sure their staff gets paid, even if it means erring on the side of caution and overpaying.