The recent ransomware assault on CDK Global, a pivotal software provider for auto dealerships, has unleashed a wave of repercussions, profoundly impacting independent collision repair facilities. These shops, heavily reliant on local dealerships for Original Equipment Manufacturer (OEM) parts, are now grappling with unprecedented supply chain bottlenecks.
“It’s sparked widespread chaos – immense difficulties across the nation,” stated Beau Bennett, the proprietor of Kious Kountry Auto Collision Center Inc., a substantial 16,000-square-foot repair shop nestled in Waukon, IA. Bennett’s business hinges on two local dealerships for parts, with a staggering “95% of the components I install being OEM.”
The sudden supply chain fracture has compelled Bennett to escalate his liability insurance coverage. His shop’s premises are increasingly congested with vehicles awaiting repairs, stalled by the frustrating inability to procure essential parts. A prime example is a $100,000 GMC Denali, languishing for want of door clips, with parts availability shrouded in uncertainty.
Since the cyber-attack, Bennett has managed to receive “$20,000 worth of parts, documented on paper tickets.” The breakdown of dealer computer systems has forced a reversion to manual processes, drastically impeding operational efficiency and causing considerable delays in customer service.
Bennett emphasizes, “It’s not the dealerships’ fault.” He values his long-standing, 30-year relationships with his vendors and remains committed to their partnerships.
Unpacking the Cyberattack
The cyber incident unfolded in the late hours of June 18 and persisted through June 21. CDK Global Inc., an Illinois-based entity providing software and data solutions to 15,000 automotive dealerships, was targeted by multiple cyberattacks. This prompted CDK to shut down its entire system, encompassing software, data centers, and communication lines.
Bloomberg estimated the affected market’s value at a staggering $1.2 trillion. Reports indicate that an Eastern European cybercriminal group, identified as BlackHand by various sources, orchestrated the attack, demanding an eight-figure ransom for system restoration. A U.S. cybersecurity agency has linked BlackHand to code-sharing arrangements with another group in exchange for a portion of the ransom. Fortune magazine and other outlets have suggested CDK is poised to pay the ransom, though CDK has not officially confirmed this.
“We have initiated the recovery process,” stated CDK spokesperson Lisa Finney in a public statement. Initially, CDK communicated through media reports that service restoration would take “days, not weeks.” However, Reuters later reported that full online functionality for all dealers is not expected until at least the end of June.
Publicly traded automotive groups have issued press releases acknowledging their reliance on “alternative processes” pending CDK’s system recovery. As Bennett’s experience illustrates, these alternatives largely involve reverting to manual, paper-based operations.
Navigating the Fallout
Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance in Washington, D.C., cautioned in an email to Autobody News about an anticipated “decline in workflow stemming from delayed parts deliveries and service approvals.”
For Bennett’s shop, this prediction has materialized. “I’m currently managing five or six weeks’ worth of pending work,” he disclosed. “It undeniably disrupts our operational flow.”
The once-reliable next-day parts delivery has dissolved into uncertainty. Bennett sources parts from two dealerships: a large dealership with an estimated $4 million to $12 million in warehouse inventory, and a smaller local dealership. Even the latter, operating independently of the CDK system, has felt the impact due to its reliance on the larger dealership for parts.
Bennett is part of a buying collective comprising 24 independent shops across Iowa, Wisconsin, Minnesota, and South Dakota, all of whom are experiencing the cascading effects of the cyberattack.
“Every repair shop in Iowa is feeling the strain,” he emphasized. “We have three major dealerships within the state that typically supply 75% to 80% of the parts to Iowa shops.”
The Ironic Twist and Insurance Considerations
While body shops were not the direct targets of the ransomware attack, they are undeniably bearing the brunt of its downstream consequences.
“Planning for a supply chain disruption of this magnitude is incredibly challenging,” Bennett acknowledged.
However, those directly affected are beginning to adapt and strategize.
Once CDK systems are restored, dealerships will undertake meticulous data verification to ensure accuracy, and publicly traded companies will quantify the financial repercussions of the system shutdown. Toronto-based private equity firm Brookfield Business Partners acquired CDK for $8.3 billion in 2022. The publicly traded parent company of the PE firm witnessed a 6% decrease in its market capitalization following the attack. In a striking irony, a CDK survey from that same year, reported by Autobody News, highlighted an increase in cybercrime targeting car dealerships.
Steinhauer from the National Cybersecurity Alliance advised that CDK is urging “dealerships to prepare for a prolonged recovery period.” He recommended that dealers “implement robust backup systems and diversify their IT infrastructure to lessen their dependence on a single provider.”
Cyber insurance emerges as a relevant consideration. Insurer CFC points out that such policies can cover losses resulting from ransomware attacks. While the cybersecurity policy writing sector experienced a slowdown in 2023, as reported by an insurance trade magazine citing AM Best figures, this followed three years of substantial growth. The U.S. cyber insurance market reached approximately $7.2 billion last year, coinciding with a surge in ransomware incidents. Furthermore, a new “cyber risk management company” was recently spun off from London-based insurer Beazley, indicating the escalating importance of this sector.
