CDK estimates all dealerships could be live by late Wednesday or early Thursday, one of the busiest holidays for dealerships, as the company continues a phased approach of restoring service following a ransomware attack that has crippled the industry for nearly two weeks. 

“Our Customer Care channels have also been restored and customers can call, chat or submit eCases if they need assistance,” a Monday morning email from the company says. “We are also actively working on bringing other applications live, including our Customer Relationship Management (CRM), ONE-EIGHTY, and Service solutions.”

CDK first shut down its management system to 15,000 dealerships June 19. It briefly brought the system back online the next day, only to shut it back down again that evening. The system provides a suite of tools including vehicle sales, financing, insurance, and parts inventory and ordering.

A class action lawsuit filed by Jay Kay Collision Center June 25 claims CDK failed to implement reasonable data securities causing a data break that has disrupted service to car dealerships, automobile repair centers, OEMs, software vendors, and other service providers. 

The suit, filed in the U.S. District Court for the Northern District of Illinois, claims CDK has acted in negligence, breach of implied contract, and unjust enrichment. 

It says CDK failed to safeguard its system after learning about a data breach on June 19, opening itself up to a second breach. 

“The outage has caused a delay in critical business functions and disruption to businesses inflicting substantial costs to develop workarounds, and has potentially exposed their sensitive personal and financial information to criminals,” the complaint states. 

CNN reports that an estimate by Anderson Economic Group puts the direct losses due to business interruptions for car dealers at $944 million if the outage were to last a full three weeks. 

The news agency also reports that the system outage makes it difficult for dealerships to track customer interactions, orders, and sales, ultimately impacting employee pay. 

BlackSuit, a believed Russian and Eastern European hacking group, is behind a ransomware attack on the company, according to multiple media reports.

“The [BlackSuit] infiltration is reportedly carried out through what is known as a ‘callback phishing attack,’ where the target dials a phone number embedded in emails disguised as subscription renewals, and the attackers leverage social engineering tactics to trick the victims into installing remote access software and granting access to the targeted network,” the suit says. 

CDK sells its product promising its communication and connection are stable and secure, the suit says. It says the company also promises to guard against ransomware. 

This includes: 

• • Endpoint protection
  • Network protection
  • Security awareness training
  • Mail protection
  • Multi-factor authentication 
  • DealerComply, a service to help dealerships comply with data security regulations and laws

The company allegedly claims to use a three-tiered approach to combat cyberattacks, the lawsuit says. 

“Defendant is a large, sophisticated organization with the resources to deploy robust cybersecurity protocols,” the suit says.  “Defendant knew or should have known, that the development and use of such protocols were necessary to fulfill its statutory and common law duties to Plaintiff and Class members. Therefore, its failure to do so is intentional, willful, reckless, and/or grossly negligent.”

CDK failed to disclose that it didn’t have adequately robust security protocols and training practices, the suit claims. It also alleges the company failed to take standard and reasonably avoidable steps to prevent the data breach then concealed the existence and extent of the breach for an unreasonable duration of time. The collision center also alleges CDK failed to promptly and accurately notify them and class members of the breach. 

Jay Kay Collision Center claims it has been unable to order parts due to the breach, which has caused delays in its ability to repair vehicles. Recently, the business has been able to order some parts by manually calling. 

The inability to check on the status of pending parts orders creates additional delays in repairing vehicles, the suit says. 

It adds employees have to be paid to deal with the delays, business interruption, and manual ordering of parts. 

“The delay in repairing automobiles due to the Data Breach has adversely affected insurance company cycle times and rental car authorizations, and has delayed Plaintiff receiving payment for its repairs,” the suit states. “Plaintiff gets paid after completing the repairs, and Plaintiff is delayed in being able to complete repairs due to an inability to get parts as a result of the Data Breach.”

IMAGES

Photo courtesy of welcomia/iStock