On June 18, 2024, a ransomware group called BlackSuit broke into CDK Global, the software company that runs the dealer management systems for more than 15,000 car dealerships across North America. Within hours, CDK shut everything down. Sales desks went dark. Service departments couldn’t look up repair orders. Finance managers couldn’t print contracts. And for the next two and a half weeks, thousands of dealerships were stuck doing business with pen and paper.
CDK reportedly paid $25 million in Bitcoin to get their systems back. The total damage to the auto industry topped $1 billion. If you run a dealership in Tennessee, this is worth paying attention to.
What actually happened at CDK Global
BlackSuit hit CDK’s systems on a Tuesday. CDK’s first move was the right one: they pulled the plug on their dealer management platform to stop the ransomware from spreading. The problem is that CDK’s architecture relies on always-on VPN connections between their servers and every dealership location. Cutting that connection meant cutting off access to everything.
By Wednesday, CDK thought they had things under control and started bringing systems back online. Then a second attack hit. CDK shut everything down again, and this time the systems stayed dark for weeks.
The phased restoration began on June 22. Smaller dealership groups came online first as a test. Some dealers regained access by June 28. CDK originally planned to have full service restored by July 4, but some locations didn’t get back online until the week of July 9.
During that entire stretch, the BlackSuit attackers played hardball. They opened negotiations at $10 million, then pushed the demand past $50 million. CDK has never publicly confirmed the payment, but multiple reports put the final number at $25 million in Bitcoin.
The chaos on the showroom floor
The numbers are bad enough. But the day-to-day reality at affected dealerships was worse.
Sales teams reverted to handwriting buyers’ orders. Some dealerships actually let customers drive off in new vehicles with nothing but handwritten paperwork and a promise to come back and sign real documents once the computers came back on. Finance departments couldn’t coordinate with banks to arrange loans. Parts departments couldn’t track inventory, and the ripple effect hit aftermarket suppliers like NAPA, whose sales dropped because dealers couldn’t place orders.
Service departments ground to a halt. Warranty work essentially stopped because technicians couldn’t submit claims through the system. Some shops told customers they would call them when the system came back up. Others pushed through with handwritten repair orders, prioritizing customer relationships over clean accounting.
The employee stories are the ones that stick with you. Flat-rate mechanics get paid based on hours logged in CDK. No system, no logged hours, no paycheck. One technician went a full month without getting paid because their dealership had just finished migrating to CDK right before the hack. Some dealers stepped up with guaranteed minimums or averaged past paychecks. Others offered nothing.
One employee described a manager sprinting onto the floor and shouting that anyone not logged out of CDK within 30 seconds was fired. On the customer side, an Audi buyer who was supposed to drive home a brand new S5 that day was stuck waiting indefinitely. Another Audi owner reported their car’s SOS and lane assist features randomly shut off after the breach, and the dealership couldn’t get them repaired because the service system was still down.
The real question: whose fault is this?
It’s easy to point at CDK Global, and they deserve plenty of the blame. Their architecture created a single point of failure for 15,000 businesses. When one company goes down and takes your entire operation with it, that’s a concentration risk problem.
But here’s what most dealers don’t realize. Under the FTC Safeguards Rule, auto dealerships that finance or lease vehicles are classified as financial institutions. That means you’re legally responsible for protecting your customers’ personal data. And that responsibility doesn’t disappear when you hand that data to CDK.
The Safeguards Rule specifically requires you to oversee your service providers. You need to assess their security risks. You need contracts that require them to maintain appropriate safeguards like encryption and multi-factor authentication. And you need to periodically verify they’re actually doing it.
Think about what CDK stores in those digital deal jackets: credit applications, copies of driver’s licenses, Social Security numbers, bank account details. If that data gets compromised because your vendor got hacked, the FTC doesn’t care that it wasn’t your server. It was your customer’s data, and you chose the vendor.
What the FTC Safeguards Rule requires from your dealership
The amended Safeguards Rule, with new requirements that took effect in 2024, lays out specific obligations for auto dealers. Here’s what you need to have in place.
A designated security lead. Someone at your dealership needs to own the information security program. This person oversees implementation and reports to leadership at least once a year on the program’s status.
Written risk assessments. You need to identify the internal and external threats to customer data at your specific location. Not a generic template from a compliance vendor. An actual assessment of your dealership’s risks.
Multi-factor authentication on everything. The FTC requires MFA for anyone accessing your information systems. That includes your employees and any third-party service providers with access to your network. Passwords alone don’t cut it anymore.
Encryption at rest and in transit. Customer data needs to be encrypted whether it’s sitting on a server or moving across a network. If CDK had implemented stronger encryption practices, the stolen data would have been far less useful to the attackers.
Regular testing. You need either continuous monitoring or annual penetration testing combined with vulnerability scans at least every six months. This catches problems before attackers do.
A written incident response plan. When (not if) something goes wrong, your team needs a playbook. Who makes the decisions? Who contacts the FTC? Who talks to customers? As of May 2024, dealers must notify the FTC within 30 days if a breach affects 500 or more consumers.
Employee training. Your service writers, sales team, and back office staff all handle sensitive data. They need to recognize phishing attempts, understand social engineering, and follow strict protocols for customer information.
Seven things you should do this month
If the CDK hack didn’t prompt your dealership to take action, you’re running out of runway. Here’s where to start.
Test your backups in isolation. Ransomware groups specifically target and encrypt backups to eliminate your recovery options. Your backups should be immutable (can’t be altered or deleted) or air-gapped (physically separated from your network). And you need to actually test restoring from them. A backup you’ve never tested is a backup you can’t trust.
Enforce MFA across the board. Every login and every system, no exceptions. This alone blocks most credential-based attacks. If your DMS vendor doesn’t support MFA, that’s a serious problem you need to escalate or plan around.
Segment your network. The always-on VPN connections between CDK and 15,000 dealerships created a highway for the ransomware. Your vendors should only have access to the specific servers and data they need. If a vendor gets compromised, network segmentation keeps the damage contained to one area instead of your entire operation.
Audit your vendor contracts. The FTC requires you to contractually obligate your service providers to maintain appropriate security. Pull out your CDK contract (and every other vendor agreement) and verify that security requirements are actually written in. If they’re not, fix that immediately.
Keep offline fallback procedures ready. The dealerships that handled the CDK outage best were the ones that had paper forms and manual processes ready to go. Keep a supply of compliant buyers’ orders, repair orders, and financial paperwork on hand. Run a drill once a year where your team processes a deal entirely on paper. When the systems go down, your team shouldn’t be learning the manual process for the first time.
Deploy endpoint detection and response (EDR). Traditional antivirus isn’t enough for attacks at this level. EDR solutions actively monitor network behavior and can detect ransomware before it encrypts your files. Think of it as the difference between a smoke detector and a security camera that calls the fire department the moment it sees a spark.
Train your people consistently. Run phishing simulations. Teach your staff what social engineering looks like. Make sure everyone who touches a deal jacket understands the sensitivity of the data they’re handling. It only takes one click on the wrong link.
The bottom line for Tennessee dealerships
The CDK hack wasn’t a freak accident. BlackSuit is a well-known ransomware group with ties to the Conti and Royal operations. They targeted CDK because they knew the payout would be massive: one breach, 15,000 victims, and a company that would pay to make it stop.
If your dealership in Franklin, Nashville, Chattanooga, or anywhere else in Tennessee relies on a single software platform for sales, service, parts, and finance, you have the same vulnerability CDK’s customers had. The software might be different, but the architecture problem is identical.
The FTC has made its expectations clear. You are responsible for your customers’ data, regardless of which vendor stores it. Getting compliant with the Safeguards Rule is no longer optional, and the CDK breach proved why those requirements exist.
Charger IT works with auto dealerships across Middle Tennessee on exactly this stuff: cybersecurity assessments, network segmentation, vendor audits, and FTC Safeguards Rule compliance.
If you’re not sure where your dealership stands, take our free IT assessment. It takes 10 minutes. The next CDK-level attack will happen. The only question is whether your dealership is ready for it or scrambling for a pen.