CDK Global is still down heading into the brisk car-selling Fourth of July holiday next week. Auto dealerships use its software to manage everything from scheduling to records, and the mass outage since last week has paralyzed nearly 15,000 dealerships across North America.
CDK said last Saturday that it has begun restoring its software, but both car buyers and dealers are currently at a standstill. It has suggested several times that a fix is in order, only to say then that its systems would remain out of commission for a while longer.
Here’s what you need to know about the massive software outage.
What does CDK Global do?
CDK Global provides data and technology to different automotive dealerships. Its systems are used by roughly 15,000 car dealerships across the United States and Canada.
CDK operates different software products car dealers use to handle workflow such as keeping records of negotiated deals, to scheduling and communicating about service. Not every dealer uses CDK’s products, and those that do may not use CDK for every dealership task, but the system shutdown has been a problem for many.
To protect customer privacy, customers’ details aren’t written out on a piece of paper that’s just sitting on a desk anymore. Instead, information about deals and customer appointments is kept in a server that’s now impossible for salespeople affected by the outage to access.
Can I still buy a car or get my car repaired?
Salespeople and service employees who spoke with CNN say they’ve resorted to using pen and paper to process purchases, which has drawn out the amount of time it takes to buy a car, according to Scott Campbell, a salesman at Capital City Buick GMC in Berlin, Vermont. He estimates wait times have doubled or tripled.
Several buyers and repair customers tell CNN they’ve experienced long delays.
Don Aycock told CNN he drove 90 miles round-trip from his home to a car dealership in Clay County, Florida, to buy a new Buick on Thursday, a day after the CDK shutdown. He told CNN he was able to buy the car but was unable to sign the title.
“We got a call from them today that we can come next Thursday to sign the paperwork for the title and get a permanent license plate,” he said, noting that it will be another lengthy round-trip drive.
In San Diego — where temperatures in recent days have been pushing 90 degrees — Robbie Jacob and his wife tried to make an appointment at a Kia service center to fix their car’s broken air conditioning unit. Jacob said the center told them it was unable to service the car, citing the CDK cyber incident, as there were no appointments available and all walk-ins were suspended until next week.
Can I still register my car?
Midway Automotive uses a CDK product to register cars with the Massachusetts Registry of Motor Vehicles.
Owner Michael Deveney says that after the shutdown on Wednesday, the dealership started sending customers to their local RMV office in order to register their cars in person after purchase.
“That was up until Thursday. Then customers started being told that (the RMV) wasn’t taking any walk-ins,” he said. “They were probably getting flooded with customers and started turning people away.”
Some 30 miles north in Lynn, Massachusetts, Katelyn Salvato says she hasn’t been able to register a vehicle since last Tuesday. Salvato works as a title clerk for Pride Motor Group, registering cars for three dealerships.
“Today… I sent 21 registrations to be done manually at the Massachusetts RMV,” she said.
Callahan echoed those concerns. Under normal circumstances, the CDK software allows the dealership to register a vehicle almost instantaneously, but now the process faces heavy delays.
“Our remote registration system is rendered useless without CDK to talk to it. We’ve had to send a runner with the registrations to the DMV to be competed in packs, costing several days where prior it took hours,” Callahan said in an interview with CNN.
When will CDK be back online?
CDK Global doesn’t believe its systems will return online before June 30.
In an automated voice message to clients, CDK said it is making “significant progress” in restoring its core application.
“We do feel it’s important to share that we do not believe that we will be able to get all dealers live prior to June 30,” the message said.
The company also urged dealerships to make alternate plans for their month-end financial reports.
However, CDK gave dealerships encouraging news on Wednesday. It said it was able to bring a “small initial test group” of car dealerships back online. The company also said it’s also working to bring additional applications back online, such as its customer relationship management and service solutions, as well as its customer care channels.
Problems began last Wednesday when CDK spokesperson Lisa Finney told CNN that the company was investigating a cyber incident.
“Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible,” Finney said in the statement.
Later that day, the company said most of its critical computer systems were back online. But the next morning, the company told dealerships another incident had happened.
Why did systems go down?
CDK has said it is working to investigate the shutdown after two cyber incidents brought its systems to a standstill. The company has not confirmed who was behind the incidents.
Bloomberg previously reported the company was negotiating with an Eastern Europe-based hacker group demanding tens of millions of dollars in ransom to end the outage.
CDK has not responded to CNN’s request for comment about the reported ransom.
Why is this hack so impactful?
While companies used fewer interconnected workflow systems in the past, the move to cloud computing and reliance on third-party software systems — despite helping daily business operations — creates complex systems that are more susceptible to widespread hacks.
If the main part of the centralized system goes down, it means that everything goes down. Rather than having to hack each dealership individually, all hackers have to do is hack where all the data is stored for all of them.
“It also creates kind of a bullseye and it helps attackers focus their efforts on specific types of infrastructure or specific cloud platforms,” Eric Noonan, CEO of cybersecurity provider CyberSheath, said.
And hackers are targeting organizations that serve in the supply chain of industries. By attacking CDK’s software, for instance, hackers were able to bring the vehicle dealership industry to a standstill. That gives hackers leverage to ask for larger and larger sums of money, said John Dwyer, director of security research at Binary Defense, a cybersecurity solutions firm.
Though hackers have more leverage, the success of paying a ransom and a speedy recovery is elusive, experts said.
“There’s never been a story written on a company that successfully paid a ransom, and then quickly recovered their systems,” Noonan said.
What is the financial impact on dealerships?
At a Mazda dealership in Seekonk, Massachusetts, general sales manager Ryan Callahan said the outage has affected nearly every aspect of its business.
“The financial impact it will directly have on us will take months to correct, if not years,” Callahan said.
Tom McParland, the owner of Automatch Consulting, a national car buying service, said the outage was impacting customers because they now have fewer dealers to choose from.
“It reduces their ability to get a deal,” he said. “It limits the customer’s leverage.”
Some dealers also can’t apply factory rebates without CDK’s software, so customers may miss out on money-saving deals. For customers looking to buy a car, McParland suggested casting a wide net and shopping outside their local market to find the best price.