CDK Global Incident | June 2024

Vulnerability Update

On Saturday, June 22, 2024, the CDK Global incident hotline referred to the incident as a cyber ransom event following reports by Bloomberg of the same. This cyber ransom event has been attributed to BlackSuit ransomware. At this time, CDK Global reports that is has begun the restoration process. CDK Global anticipates the restoration will take several days, not weeks, for the major application to resume functionality.

Background Information

On or about June 18, 2024, CDK Global suffered a cyber security incident that led them to disconnect their systems and infrastructure, resulting in a lack of service to their customers. While no details are known about the incident at this time, CDK Global has reportedly contacted their customers and advised that the “Always-on VPN'' be disabled, as it has administrative permissions for the purpose of updates.

CDK Global’s hotline has also reported instances of threat actors contacting dealerships while purporting to be CDK Global employees. Threat actors are conducting social engineering, attempting to gain direct access to dealership systems and records. CDK Global stated that they will not be contacting any customers to obtain any alternative access or credentials.

Actions Taken by Corvus

• Corvus has sent two alerts to all of our auto dealer policyholders to encourage proactive measures to prevent additional harm or business loss.

  • The Corvus Risk Advisory Team will continue to communicate with policyholders regarding questions or concerns.

• The Corvus Claims Team is actively responding to all potential notices of loss, working directly through the claims process with our policyholders.

Timeline of the Incident

• On Tuesday evening, CDK Global—which provides SaaS-based CRM, payroll, finance and other functions to 15,000 dealerships—reportedly became aware that it was under attack.

• While CDK was working to recover from the first attack, the company was struck by a second attack late on Wednesday evening, according to media reports.

  • “We are sorry to inform you that we experienced an additional cyber incident late in the evening on June 19th,” reads a message to CDK customers posted Thursday on X.

• According to the message posted on X, the latest attack prompted CDK to shut down its systems for a second time.

  • “Out of continued caution and to protect our customers, we are once again proactively shutting down most of our systems,” the message posted Thursday reads.

• In a message to TechCrunch, a CDK spokesperson confirmed Thursday that the company has shut down “most” of its systems.

  • According to the message posted Thursday on X, CDK has been “assessing the overall impact and consulting with external 3rd party experts.”

    “At this time, we do not have an estimated time frame for resolution and therefore our dealers' systems will not be available at a minimum on Thursday, June 20th,” the message reads.

    “We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible,” the CDK spokesperson said in a statement shared with TechCrunch.

• As of early Friday morning, June 21, 2024, the CDK Global hotline stated that there is no "estimated time frame for resolution and therefore our dealer systems will not be available likely for several days."

• Saturday evening, June 22, 2024, the CDK Global incident hotline referred to the incident as a cyber ransom event. CDK Global estimated that the restoration process would take several days, as opposed to weeks, for the major application to function.

CDK Global set up toll-free lines at +1 (855) 356-3270 (English) and +1 (877) 483-7817 (French) for updates.