Shockwaves Across The Automotive Industry
On 06/19/2024, a leading Dealer Management System (DMS) provider, fell victim to a significant cyber attack. This breach has sent shockwaves through the automotive industry, highlighting the urgent need for robust security measures to protect sensitive data and maintain business continuity. As dealerships scramble to assess the impact and safeguard their operations, it’s clear that enhanced security protocols are more critical than ever.
Understanding the Impact of a Security Breach
CDK Global’s systems are integral to the operations of countless dealerships worldwide, managing everything from customers data, customer sales, credit bureau, images of driver’s licenses, social security cards, parts inventories, and payroll. The hack has potentially exposed much of this sensitive information, putting dealerships and their clients at risk. This incident underscores the vulnerabilities inherent in relying on centralized systems and the dire consequences of inadequate data protection.
What's next for Automotive Dealerships
In the event of a breach by one of your vendors, the key is communication from your vendors. Right now, CDK has sent out limited statements regarding the breach, mainly to do with CDK’s software functionality. CDK is probably assessing the situation and trying to find out what information is contained in the hack and how to segregate that and restore backups of their systems.
Steps for Dealers
For Automotive Dealerships it’s a waiting game. Until CDK releases additional information you will have to wait to determine if your customers information was compromised. However, there are still steps that you will need to take if you use any of CDK’s services.
- Until CDK makes a statement that the software is good, any device that has any installed CDK software should be completely powered down. This is to prevent the perpatrators from having access to your computers and your network. Until the details of the breach are determined these computers that have software that communicates with CDK servers should remained powered down.
- Discontinue using any and all CDK services, until CDK makes a statement that these services are ok to use.
- You will want to notify your Qualified Individual.
- You will want to notify any third-party vendors that you and the dealership uses for IT security.
Steps for Customers of Dealers
For customers it too is a waiting game. CDK will communicate with the dealerships that are affected and at that point those dealerships are required to notify the Federal Trade Commission of the extent of the breach and what type of data was compromised. Additionally, following the notification of the FTC, Dealerships are also required to communicate with you, the customer, of the extent of the data that was compromised, this can occur months from the breach occurrence. Often, if the extent of the breach is unable to be identified you will receive vague notifications that your data could have been included in the breach.
The Necessity of Enhanced Security
In light of this breach, dealerships must reassess their data security strategies. Relying solely on traditional systems, which can be prime targets for cyberattacks, is no longer viable. Dealerships need a multi-faceted approach to data security that includes end-to-end encryption, stringent access controls, and regular risk assessments to prevent unauthorized access and mitigate potential threats. Additionally, the diversification of third-party vendors should be looked at. Just as monopolies in economics can have negative effects, so to can utilizing one vendor for all your software needs.
What we should learn from this breach
The CDK Global hack serves as a stark reminder of the importance of data security and diversification of vendors. Even though Automotive Dealerships had little to no control over the security of the data that CDK Global had of their dealership’s customers, Automotive Dealerships did have the responsibility to assess their vendors and ensure that the vendors were taking the proper precautions with their customers data. With many of the large Dealership Management Corporations being reluctant to communicate with Automotive Dealerships or share the process they take to protect customer information, it makes the task of assessing them difficult. This breach should be a wakeup call to Automotive Dealerships to require communication concerning the steps large Automotive vendors are taking to protect their customers information. Additionally, for large automotive vendors this should wake them up to establish communication and data security plans to protect customers information in conjunction with the automotive dealerships.
