CDK Hack Summary

CDK Global Inc. is an American corporation based in Austin, Texas, providing data and technology to the automotive, heavy truck, recreation, and heavy equipment industries. CDK is a trusted third-party service provider to many US and Canadian car dealerships that focuses primarily on delivering processing capabilities and provides software that manages daily operations, including vehicle sales, financing, insurance, and repairs. 

CDK Global's main offering, the Dealer Management System (DMS) was compromised on June 18th, 2024 as part of a cyberattack and cased a widespread disruption for approximately 15,000 car dealership customers across the US and Canada recording an $605 Million dollar loss in two weeks following the disruption. The attack originated from the adversarial group, Blacksuit, which launched a ransomware payload, and while CDK was able to restore its systems initially they were compromised again by Blacksuit. CDK has not yet publicly disclosed which systems were targeted, the vulnerabilities were exploited. 

As to date (Aug 10th, 2024), CDK has claimed they have restored all operations for all of their customers, however a class action lawsuit has been filed against CDK as result of damages incurred from the disruption. 

Five Key Takeaways from this Incident:

1. Security Training and Awareness programs are pivotal in educating staff and team members about risks and more specifically phishing based attacks that launch a ransomware payload
2. Establishing a strong Incident Response Plan to manage and coordinate action items for a specific incident. Furthermore performing periodic incident response walkthrough exercises with key stakeholders identifies roles and responsibilities required in an incident. 
3. Implementing a strong Cybersecurity Detective controls that include Endpoint Detection Response (EDR) capabilities to identify suspicious emails and attachments to mitigate the risk against.
4. Assurances over the Data Backup and Recovery program may lead to faster recovery process, supporting data integrity from recovery practices. 
5. Crisis Management Communication is a very important aspect when dealing with a widespread disruption that impacts a high volume of customers who rely heavily on the service provided. Furthermore engaging this protocol will provide timely communication about the incident and insights on the estimated time for recovery.