Most breach stories are about data walking out the door. This one is different, and that is exactly why it belongs in every third-party risk conversation. When CDK Global was hit by ransomware in June 2024, the damage was not measured in stolen records. It was measured in dealerships that could not sell a car, book a service appointment, or close a finance deal because the software running their entire business had gone dark. For roughly two weeks, an industry ran on pen and paper.
CDK Global provides the dealer management system, or DMS, that thousands of franchised auto dealers in North America use to run sales, financing, inventory, parts, and service from a single platform. The company, based in Hoffman Estates, Illinois, and owned since 2022 by Brookfield, serves roughly 15,000 dealer locations. When its systems stopped, so did theirs.
What Happened
On June 18, 2024, CDK detected a cyberattack and shut down most of its IT systems, including the core DMS, to contain it. The company began working to restore service. Then, on the evening of June 19, while recovery was still underway, CDK was hit a second time and was forced to shut everything down again. That second blow is the detail worth remembering: the attackers were still active in the environment during the response, and the recovery had to start over.
Restoration came back in phases starting around June 22. By July 2, CDK said substantially all dealer connections were live again, and by the July 4 weekend the platform was essentially restored for nearly all of its dealers, though some third-party integrations lagged into late July. Start to finish, dealers lived without their central system for about two weeks.
Security researchers attributed the attack to the BlackSuit ransomware group, widely described as a rebrand of the Royal ransomware operation with roots in the former Conti syndicate. That attribution came from researchers and reporting, notably Recorded Future's Allan Liska and coverage by Reuters and Axios. CDK itself did not publicly name the group. According to reporting first published by CNN in July 2024, CDK reportedly paid a ransom of around 25 million dollars, roughly 387 bitcoin, on or about June 21, a figure later corroborated by blockchain analysis from TRM Labs reported by CyberScoop. CDK and Brookfield declined to confirm any payment. If accurate, it was reported as the largest ransomware payment of 2024.
| Date (2024) | Event |
|---|---|
| June 18 | CDK detects the attack, shuts down most systems including the DMS |
| June 19 (evening) | A second attack strikes during recovery, forcing another full shutdown |
| ~June 21 | A ransom of roughly $25 million (about 387 BTC) is reportedly paid; CDK did not confirm |
| ~June 22 | Phased restoration begins |
| July 2 to 4 | Substantially all dealers back online; the outage lasted about two weeks |
The Damage Was Downtime, Not Data
The scale of the operational hit is what makes this case unusual. The Anderson Economic Group estimated that dealers lost about 1.02 billion dollars over the roughly three-week period spanning the outage, a figure it revised upward from an initial 944 million dollar estimate once actual June sales data was in. That total includes lost earnings on an estimated 56,200 new-vehicle unit sales that were lost or deferred, plus lost used-car and parts-and-service earnings, extra staffing, and added interest costs. Notably, the estimate excludes consumer harms, dealer reputational damage, and litigation costs, so it is a conservative floor rather than a ceiling.
On the ground, dealers reverted to manual processes. Sales staff hand-wrote deals, service departments tracked repair orders on paper, and finance offices improvised without their usual systems. Large public dealer groups took the disruption seriously enough to flag it in securities filings: both AutoNation and Sonic Automotive disclosed the CDK outage in SEC filings dated June 19, 2024, an unusually direct signal that a single vendor's downtime had become material to publicly traded companies.
Why This Is a Concentration Problem
CDK is the largest DMS vendor in North America. Industry reporting and antitrust litigation have long described a duopoly, with CDK holding roughly 40 percent of the market and Reynolds and Reynolds around 30 percent, the two together serving about three-quarters of franchised dealers. Those percentages are estimates drawn from industry sources and legal filings rather than audited figures, but the shape is not in dispute: a very large share of an entire retail sector depends on one of two vendors, and switching is neither quick nor cheap.
That is the textbook definition of concentration risk, and it is the same failure mode we examined after the CrowdStrike outage. A single vendor problem does not stay contained to one customer. It fans out across every organization that depends on that vendor, all at once, turning one company's bad week into an industry-wide event. It is also a close cousin of the availability risk we covered when a key pharmaceutical supplier went dark: the questionnaire score never mattered, because the thing that broke was uptime, not a control.
The uncomfortable part for dealers was the absence of a fallback. A dealer management system is deeply embedded, contracts run for years, and there is no realistic way to fail over to an alternative in the middle of an incident. The business continuity plan turned out to be a stack of paper forms. That is not a knock on any individual dealer. It is a structural feature of concentrated markets that TPRM programs routinely underweight because they focus on data protection and treat availability as an IT problem rather than a vendor risk.
What TPRM Teams Should Take Away
The CDK attack is a clean argument for assessing vendors on availability and continuity, not just security posture. A few practical implications follow directly from the facts.
- Treat availability as a first-class risk. For any vendor whose downtime would halt your operations, model the cost of an extended outage the way you would model a data breach. The true cost of a third-party incident often lives in lost revenue and manual workarounds, not just notification and remediation.
- Ask for real continuity evidence. Recovery time objectives, tested backups, and incident-response history matter more than a certification logo when the failure mode is downtime. Ask what happens if the vendor is compromised twice in one week, because that is what happened here.
- Map your single points of failure. Identify the vendors with no viable substitute and no manual fallback. Those are your concentration risks, and they deserve explicit board-level attention and, where possible, contractual continuity commitments.
- Plan the manual mode in advance. If pen and paper is your true fallback, write it down before the incident. The dealers who coped best were the ones who improvised fastest.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- CDK Global hacked again while recovering from first cyberattack - BleepingComputer, June 2024
- CDK Says Substantially All Dealership Systems Back Online - Bloomberg, July 2, 2024
- BlackSuit ransomware gang behind CDK Global attack - Axios, June 24, 2024
- CDK Global paid $25 million ransom after hack - CNN, July 11, 2024
- Blockchain analysis ties ~$25M payment to BlackSuit - CyberScoop, 2024
- Dealers lost $1.02B to CDK cyberattack, revised AEG study says - Automotive News, 2024
- What the CDK outage meant for auto dealerships - CBS News, June 2024
- AutoNation Form 8-K disclosing the CDK outage - U.S. Securities and Exchange Commission, June 19, 2024