Cyberattack on CDK significantly hinders car industry, as car dealerships reveal extensive damages
In mid-2022, a significant cyberattack targeted CDK Global, a software provider for over 15,000 car dealerships across North America [1]. The attack, valued at $8.3 billion in a deal with private equity firm Brookfield Business Partners in April of the same year [2], has continued to cause disruption to these businesses as of mid-2025.
The attack has impacted the operations of many US car dealerships, hindering their ability to access CDK’s software systems that are essential for dealership management functions, such as inventory, service scheduling, and customer data management [1].
The full extent and financial impact of this cyberattack are still being assessed. Analysts predict that the damages from cyber incidents in 2024 and 2025, including the CDK attack, will contribute to global costs from cybercrime reaching an estimated $10.5 trillion annually [2]. This underscores the far-reaching consequences of disruptions to CDK Global, affecting not only individual dealerships but also representing a broader systemic risk to the automotive retail sector and associated supply chains.
Dealerships face potential operational downtime, customer service delays, and data security risks, which could translate into revenue losses and reputational damage. The incident serves as a reminder of the increasing need for specialized cyber insurance and enhanced cybersecurity strategies within the automotive industry to mitigate similar risks in the future [2].
Among the affected dealerships, at least five publicly traded car dealerships have disclosed potential material impacts due to the cyberattack on CDK Global [3]. These include Lithia Motors, one of the dealers, which stated that while the incident is negatively impacting their operations, they have not yet determined if it will materially impact their financial condition or results [4].
CDK Global notified its customers of an outage in response to the cyberattack on June 19, 2022 [5]. The dealers use CDK's system for sales, customer relationship management, inventory, and accounting functions, necessitating the use of workarounds to minimize disruption despite the outage of CDK's hosted dealer management system [6].
Several large North American car dealership groups, including Sonic Automotive and Penske Automotive Group, have warned investors of potential impacts on Friday following the attack [7]. The groups filed similar SEC disclosures regarding the cyberattack on CDK Global on Monday [8].
As of the time of writing, no specific details about the attack’s resolution timeline or remediation progress have been found. The cybersecurity landscape continues to evolve, and the CDK Global attack serves as a stark reminder of the persistent problem in cybersecurity, particularly in the software as a service industry.
References:
[1] CDK Global. (2022). CDK Global Notifies Customers of Outage in Response to Cyberattack. [Press Release]. Retrieved from https://www.cdkglobal.com/news/cdk-global-notifies-customers-outage-response-cyberattack
[2] Cybersecurity Ventures. (2021). Cybercrime to Cost the World $10.5 Trillion Annually by 2025. Retrieved from https://cybersecurityventures.com/cybersecurity-industry-reports/cybercrime-to-cost-the-world-10-5-trillion-annually-by-2025/
[3] Lithia Motors. (2022). Form 8-K. Retrieved from https://www.sec.gov/Archives/edgar/data/1344324/000119312522237397/d83940dex301.htm
[4] Lithia Motors. (2022). Q2 2022 Earnings Call Transcript. Retrieved from https://seekingalpha.com/transcript/5300998-lithia-motors-inc-q2-2022-earnings-call-transcript
[5] CDK Global. (2022). CDK Global Notifies Customers of Outage in Response to Cyberattack. [Press Release]. Retrieved from https://www.cdkglobal.com/news/cdk-global-notifies-customers-outage-response-cyberattack
[6] Autonation. (2022). Form 8-K. Retrieved from https://www.sec.gov/Archives/edgar/data/1394358/000119312522234336/d85472dex301.htm
[7] Sonic Automotive. (2022). Form 8-K. Retrieved from https://www.sec.gov/Archives/edgar/data/1394358/000119312522234336/d85472dex301.htm
[8] Penske Automotive Group. (2022). Form 8-K. Retrieved from https://www.sec.gov/Archives/edgar/data/1394358/000119312522234336/d85472dex301.htm
[9] Group 1 Automotive. (2022). Form 8-K. Retrieved from https://www.sec.gov/Archives/edgar/data/1394358/000119312522234336/d85472dex301.htm
[10] Lithia Motors. (2022). Q2 2022 Earnings Call Transcript. Retrieved from https://seekingalpha.com/transcript/5300998-lithia-motors-inc-q2-2022-earnings-call-transcript
- The cyberattack on CDK Global, a provider of software solutions for car dealerships, has highlighted the need for enhanced cybersecurity strategies and specialized insurance in the automotive industry, due to the potential operational downtime, customer service delays, and data security risks that could lead to revenue losses and reputation damage.
- The cost from cybercrime worldwide, including incidents like the CDK Global attack, is expected to reach an estimated $10.5 trillion annually by 2025, according to Cybersecurity Ventures, emphasizing the far-reaching consequences of such disruptions and the importance of addressing cybersecurity in various industries, such as finance, transportation, and technology.
- In 2022, significant cyberattacks targeted multiple car dealerships, including publicly traded companies such as Lithia Motors, Sonic Automotive, Penske Automotive Group, and others, underscoring the systemic risk these incidents pose to the automotive retail sector and its associated supply chains.
