CDK Global, a software company that caters to U.S. car dealerships, recently garnered attention as the victim of cybercrime.

News reports indicate the company was targeted by a cyberattack and allegedly paid $25 million to regain control of its data—a nightmare for any company. Thousands of auto dealerships relying on CDK's software faced major disruptions after the ransomware attack affecting their scheduling, sales and orders. 

CDK didn’t re-establish service for all of its nearly 15,000 car dealerships in North America for two weeks. It’s hard to quantify the financial losses those dealerships experienced because they lacked access to the systems, says Jake Cardwell, regional vice president of dealer services for Aura, a company that markets online safety solutions for individuals and families.

Customers tend to blame CDK and similar companies for such disruptions and the financial losses they experience as a result.  But Cardwell says corporate victims like CDK are anything but villains.

“There is no evidence that CDK did anything wrong. They were the victims of a crime. They are a software company, and I’m sure they are SOC 2 compliant.”

SOC 2 or Systems and Organization Controls 2 is a security framework that specifies how organizations should protect customer data from unauthorized access, security incidents and other vulnerabilities. The framework is supposed to keep data secure, Cardwell says.

“CDK was not posting people’s data on the internet, and there is no evidence that any data was lost.”

Even so, he says attorneys wasted no time filing class-action lawsuits within days of the attacks.

In addition, CDK must provide identity theft recovery and monitoring services to every dealership customer who may be impacted.

“That’s going to be a very large number,” Cardwell says. “There were 15,000 dealers impacted by this situation. Though they did not experience data loss, they could not access the software that allows them to sell or lease vehicles or create repair orders. Their dealership management system went offline to protect against data loss.”

Dealerships systems are also vulnerable to ransomware attacks, points out Jim Ganther, CEO of Mosaic Compliance Services, which advises auto dealerships on regulatory issues.

“When Koons Auto Group experienced a ransomware attack in 2021, they did everything right. It was a genuine success story,” Ganther says. “But they still got sued and ended up giving their customers identify-theft recovery and identity-monitoring service. It is the norm to do this with data breach situations or potential data breach situations.”

The Extent of the Problem

Despite attempts by the U.S. government to block their funding, cybercriminals extorted a record $1.1 billion in ransom payments from organizations around the world last year, reports crypto-tracking firm Chainalysis.

A $25 million ransom payment, like the one reportedly paid in the CDK incident, is a big chunk of change but not unusual in the ransomware business. UnitedHealth Group reportedly paid $22 million after suffering a ransomware attack in February.

The automotive industry is highly susceptible to cyberattacks, ranking as the third-most targeted sector by cybercriminals after healthcare and financial services in Verizon Business’ 2024 Data Breach Investigations Report.

And despite 90% of automotive retailers reporting getting serious about their dealership cybersecurity plans, CDK’s own 2023 State of Cybersecurity in the Dealership Study indicate s17% of dealers reported they experienced a cyberattack in the past year, even with 53% of respondents expressing confidence in their current protections.

In addition, more dealers are also falling victim to identity fraud, which presented a $619 million problem in 2022, according to LEND Solutions. Its research found that 95% of dealerships say the increase in fraud is directly related to the increase in the digitization of the deal and remote buying experiences, while 86% predict that as more transactions move online, identity fraud will increase and become harder to prevent.

The issues highlight a need for dealerships to protect consumer data and offer identity theft protections, according to Cardwell.

Protection Through Regulation

Dealers are no strangers to regulations and compliance, and there’s no shortage of new rules cropping up all the time. But when it comes to data, the Federal Trade Commission’s Red Flags and Safeguards rules predominate, according to Ganther.

The FTC created the Red Flags Rule to require businesses and organizations to implement a written identify theft prevention program to detect the day-to-day warning signs, or red flags, of identity theft.

The Safeguards Rule, short for Standards for Safeguarding Customer Information, tackles data concerns by ensuring entities covered by the rule take steps to protect the security of customer information.

Under the regulation, dealerships must develop a written security program appropriate to the size and complexity of their businesses. They also must take defined steps to safeguard their data, which include encrypting customer information on the system and in transit, implementing multifactor authentication for anyone accessing customer information, and regularly monitoring and testing the effectiveness of the safeguards.

When an incident occurs, the Red Flags Rule requires dealerships to mitigate the damage from actual or potential data breaches. That typically includes identity theft recovery and monitoring services to every customer who may be impacted, Ganther says.

“The only time most customers receive protection is after an incident,” Cardwell agrees. “But by that time, it’s already too late. It’s always better and less expensive to provide those services proactively.”

Flipping the Switch

Aura has partnered with Mosaic Compliance Services to provide identity protection to anyone who gives dealers nonpublic personal information, or NPI, during the car-buying process. Cardwell and Ganther say they hope the partnership flips the switch on identity theft protections offered by dealerships so they become proactive rather than reactive.

By combining Aura's identity theft protection services with Mosaic's managed compliance solutions, the partnership is designed to help dealers adhere to the Red Flags Rule, mitigate risk, and provide proactive protection from cybercrime for their roofs, shoppers and buyers.

"We partnered with Aura so every consumer, shopper or buyer gets identity theft protection simply because they gave the dealer their nonpublic personal information," says Ganther, who adds that the collaboration both gives buyers peace of mind and dealers guidance, from “policies to operational improvements, audit and consumer online protections."

Aura role comes in the mitigation piece of compliance with the Red Flags Rule, he says.

“With these regulations, auto dealers are now obligated to protect the personal information provided to them. By offering Aura to consumers, dealers help proactively mitigate fraud by monitoring for instances of identity theft, credit misuse and financial fraud.”

Cardwell says the partnership provides a vital offering because today’s car buyers are increasingly aware of the risks associated with providing their personal information to companies. In fact, he says, Aura research found that 84% of consumers say they would not buy another vehicle from a dealership if a breach compromised their data.

“By offering Aura's identity protection solution to every consumer who provides personally identifiable information, dealers can earn trust upfront in the car-buying process,” he says.

In the end, dealers benefit because it’s cheaper to do something proactively, before any data is potentially lost, Cardwell adds.

By offering the protection to every customer who fills out a credit application, the dealership demonstrates a genuine concern for safeguarding customers' personal information, he says.

“This goes a long way toward improving public perceptions about the dealership.”

And providing the protection as a matter of course also helps dealerships if an incident occurs., the partners say.

“How much does it change a headline if a dealer can say look what we did in advance?” Cardwell says.

Ronnie Wendt is a contributing editor at F&I and Showroom.