Two collision centers are plaintiffs in the newest class action suit filed in federal court against CDK following a cyber attack that shut down and disrupted the company’s services for weeks.

Smith Collision Center and Broadway Precision Collision, both located in Ada, Oklahoma, join plaintiffs Manderbach Ford, located in Hamburg, Pennsylvania, and DLR Auto Group, located in Agoura Hills, California, in a class action suit filed in the Northern District of Illinois Eastern Division court July 12. 

It is one of about 10 civil actions filed against the company since June 24. Jay Kay Collision Center has also filed suit in the same court June 25. 

The newest suit alleges CDK failed to maintain adequate data security measures, which led to the foreseeable event of a data breach. 

“Many car dealerships rely on CDK Global’s software, including its DMS, for their entire sales process, including to generate necessary paperwork, store sales contracts, manage vehicle inventory, secure financing, and register new vehicles,” the document says. “Car dealerships, automotive repair shops, and other automotive businesses also rely on CDK Global’s software to schedule customer appointments, track and obtain parts, manage service requests, process payroll, and perform other critical tasks.”

Smith Collision Center and Broadway Precision Collision depend on CDK software to order and obtain parts necessary to complete scheduled vehicle repairs because it orders parts from dealerships who use CDK software to manage part inventory and process part orders, it says. 

It says both couldn’t order and obtain the parts necessary to complete scheduled vehicle repairs. As a result, the businesses suffered damages associated with the interruption of its business operations, including loss of fixed operating costs and losses related to its inability to fulfill service requests. 

Jay Kay Collision Center also claimed in their suit, that the cyber attack made the business unable to order parts causing a delay in the ability to repair vehicles. It also alleges the business had more expenses because employees had to deal with the delays and interruptions and manually ordering parts. 

“The delay in repairing automobiles due to the Data Breach has adversely affected insurance company cycle times and rental car authorizations, and has delayed Plaintiff receiving payment for its repairs,” the suit states. “Plaintiff gets paid after completing the repairs, and Plaintiff is delayed in being able to complete repairs due to an inability to get parts as a result of the Data Breach.”

The newest suit quotes J.D. Power estimates expecting new vehicle sales in June to drop about 100,000 vehicles or more than 7% compared to the same time period in 2023. It also uses estimates from an Anderson Economic Group analysis that found dealer losses could reach $944 million. 

Earlier this week AutoNation, the second largest dealership group in the U.S., warned that the attack will have a large impact on its second quarter earnings, according to Yahoo Finance. 

CDK has promised financial relief to more than 15,000 dealerships impacted by the attack, according to CBT Global. 

Media has reported the company likely paid a $25 million ransom to Eastern European hacking group BlackSuit following the attack that caused systems first to shut down on June 19. 

The system remained offline for nearly two weeks, with most systems restored by late July 3 and early July 4. 

Mandiant, a Google subsidiary, released a report last month that shows ransomware increased in 2023 compared to 2022. This includes a 75% increase in posts on data leak sites and a more than 20% increase in Mandiant-led investigations.

It says 2023 was a record-breaking year with more than $1 billion paid to ransomware attackers.

IMAGES

Photo courtesy of BalkansCat/iStock