CDK Global Cyberattacks: What Can CIOs Learn About Single Points of Failure?

CDK Global provides software services to more than 15,000 car dealerships. Last week, the company was hit with two cyberattacks that are responsible for an ongoing outage.  

CDK Global provides a dealer management system (DMS), which supports a wide variety of car dealership operations such as sales, payroll, and repair services. The attack has thrown a major wrench into the auto industry, causing many impacted dealerships to conduct business on pen and paper.  

When a cyberattack hits a single point of failure in any industry, the effects can be widespread and the cleanup process extensive. What can CIOs and other enterprise leaders learn from the attack on CDK Global and others like it?  

A Disruptive Ransomware Attack 

CDK Global was hit with two cyberattacks on June 19. The ransomware attack on the company was executed by the group BlackSuit, according to Bloomberg. BlackSuit is reportedly demanding tens of millions in ransom, and the company has yet to fully restore its systems.  

“We have successfully brought a small initial test group of dealers live on the dealer management system, and once validation is complete, we will begin phasing in other dealers. We are also actively working to bring live additional applications -- including our customer relationship management (CRM) and service solutions -- and our customer care channels,” according to a CDK Global statement emailed on June 26.  

Related:How Ransomware Fallout Is Rippling Through the US Health Care System

In addition to the immediate operational disruption caused by an attack like this, there are other potential consequences. Already, the company is facing lawsuits from individuals alleging their personal information was compromised in the cyberattack.  

“I would expect that we would see class-action consumer lawsuits because of all the PII that is in the DMS,” says Peter Cassat, a partner at full-service law firm Culhane and former general counsel at auto dealership New Country Motor Car Group.  

A cyberattack of this scale also comes with reputational impact. “CDK for years has been charging access fees to the DMS for all third-party providers,” says Cassat. “They’ve been charged … for security reasons.” In the wake of a security incident like this, customers may view the company differently.  

“I think it’s a big reputational sort of a problem for CDK and what its narrative is going to be going forward,” Cassat adds. 

A System Shutdown  

In response to the cyberattacks, CDK Global shut down its systems. Other enterprises hit with cyberattacks have opted to shut down systems as well. MGM Resorts International, for example, shut down some of its systems in response to a disruptive cyberattack in 2023, according to BleepingComputer.  

Related:The Rise of Dual Ransomware Attacks

“It may be riskier to continue operations in a compromised system,” says Patrick Tiquet, vice president, security and architecture at Keeper Security, a passwords and secrets management company. “There’s usually guidance in the incident response plan that will tell them when … to make the call to shut a system down in response to a cyberattack.” 

What happens while an enterprise’s systems are offline? Enterprise teams are likely feverishly working to understand what a threat actor has accomplished -- how deeply they’ve penetrated systems and if they’ve exfiltrated data -- and to prevent lateral movement.   

“You’re trying to understand the blast exposure, basically understanding the extent of the impact and whether or not you can segment off other portions of your enterprise,” explains Stan Wisseman, cybersecurity chief technologist at cybersecurity solutions company OpenText Cybersecurity.  

That process often involves working with third parties, like forensics teams and law enforcement, and it takes time to ensure systems can be safely and effectively restored.  

A World of Supply Chain Risk 

Related:2023 Ransomware Payments Hit $1.1B Record

In a world where nearly every business relies on an increasingly complex supply chain to do business, leaders must consider the risk that comes with their vendors and the possibility of single points of failure. 

“The DMS is somewhat of a single point of failure, and there are not backup systems,” says Cassat. “So, for all IT folks, [it] underscores the importance of redundancy, backup plans, disaster recovery plans, business continuity plans.”  

The attacks on CDK Global are not the first example of how disruptive it can be when threat actors target a single point of failure. This spring, the ransomware attack on Change Healthcare, a payment and claims system, caused massive issues in the health care industry. Patients struggled to fill their prescriptions. Insurance companies couldn’t pay claims. And it is likely we will see more of these attacks with widespread ramifications.  

Threat actors are doing their homework, according to Wisseman. “Each sector probably has multiple digital platforms like this, and I think the bad actors have learned they can get what they want … financial gain.” 

And threat actors may continue to have luck when homing in on these single points of failure. “A lot of these systems were put into place with more thought to functionality rather than disaster recovery and resiliency,” Tiquet points out.  

Building redundancies and resilience into software systems involves more upfront costs, but that investment could save money in the long run. “If there's a single point of failure in the system, it could end up costing a lot more money than it would have if they had designed … the system with redundancy,” says Tiquet.  

As real-life examples of supply chain risk unfold, more enterprises are calling for insight into their vendors’ security practices. “I think more and more organizations are pushing for more evidence-based information that gives them that comfort, that truly their supply chain is giving them the security controls they need,” says Wisseman.  

Even with an increasing push for that insight through means like a software bill of materials (SBOMs), “not if, when” is the ruling philosophy around breaches and cyberattacks. Enterprise leaders need to consider what their backup plans are, and rehearse them, if their organizations are swept up in the fallout of an attack like the one on CDK Global.