A group that claims it hacked CDK Global, the software provider to thousands of North American car dealerships, has demanded tens of millions of dollars in ransom, according to a person familiar with the matter.
CDK is planning to make the payment, said the person, who asked not to be identified because the information is private. The hacker group behind the attack is believed to be based in Eastern Europe, the person said. In the early days of any ransomware attack, discussions are fluid and the situation can change.
CDK did not respond to multiple requests for comment on Friday.
Since CDK discovered the breach and shut down its systems on June 19, chaos has ensued at many of the roughly 15,000 car dealerships it counts as customers. CDK’s flagship product—a suite of software tools referred to as a dealership management system, or DMS—supports nearly every element of a car dealership’s day-to-day business. So the outage hampered sales, interrupted repairs and delayed shipments in an industry that reached $1.2 trillion in U.S. sales last year. The outages are also hitting amid a late-quarter sales push.
“It’s just massive chaos at this point,” Diana Lee, chief executive of Constellation, a marketing agency that works with auto dealers across the US, told Bloomberg Television. “The dealer is required to actually run a DMS for sales, service, parts, for every single functionality — even stocking a vehicle, you can’t do without the DMS system. So it’s a disaster.”
CDK had briefly restored some services for a few hours on June 19, but was forced to shut them down after a second cyber attack. On Thursday, the company warned merchants that their systems would likely be unavailable for several days.
A demand of tens of millions of dollars comes after hackers demanded $50 million from a laboratory services company at the center of an ongoing ransomware attack that has caused disruption at London hospitals. UnitedHealth Group Inc., the largest US medical insurer, admitted earlier this year that it had paid hackers a $22 million extortion fee.
CDK has not said who or which entity is behind the intrusion, but issued a warning to customers Thursday evening, saying outside parties are reaching out to customers, trying to take advantage of the confusion.
“We are aware that bad actors are contacting our customers, posing as CDK members or associates, trying to gain access to the system,” the company said. “CDK associates are not contacting customers for access to their environment or systems. Please only respond to known CDK employees and communications.”
There are only a handful of DMS companies for dealers to choose from after decades of consolidation within this corner of the auto retail industry. As a result, thousands of shops are heavily dependent on CDK’s services to line up financing and insurance, vehicle and parts inventory management, and full sales and repairs.
Car dealer Sonic Automotive Inc., which uses CDK to support critical dealer operations, said the disruptions caused by the cyberattack are likely to have a “negative impact” on its operations until its systems recover, according to a Friday file. Sonic has not determined whether the attack will have a material impact on its finances and has reopened all of its retailers with solutions to limit the disruption, the company said.
CDK’s parent company, Brookfield Business Partners LP, had its worst trading day since October – down 5.7% on Thursday – and extended its decline on Friday. Shares in dealer groups AutoNation Inc., Group 1 Automotive Inc. and Sonic Automotive Inc. also fell.