Auto retailers across the US are likely to be out of service for days after a second major cyber attack at CDK Global, the software provider that thousands of dealers rely on to run their stores.
“At this time, we do not have an estimated time frame for the resolution and therefore our merchants’ systems will likely be unavailable for several days,” the company said in a communication sent to clients on Thursday that was reviewed by Bloomberg.
A CDK spokesman did not immediately respond Thursday to an email and phone message asking about the message it sent to customers.
CDK informed customers on Thursday of the incident, which occurred late in the evening. The company shut down most of its systems again, initially saying that its dealers’ systems “will not be available until at least Thursday.”
In what would otherwise have been a busy holiday in the US for business, CDK-supported merchants were unable to use its systems to complete transactions, access customer data, schedule appointments or to handle car repair orders. The company serves almost 15,000 dealers, supporting front office salespeople, back office support staff and parts and service shops.
The outage also extended to hundreds of dealerships in Canada, with dealers relying on pen and paper to work on deals, said Tim Reuss, president of the Canadian Automobile Dealers Association. Those transactions will eventually have to be recorded digitally once the systems come back online, he said.
“There will be a bit of a hangover from this incident,” he said.
Shares of AutoNation Inc. led by publicly listed trader groups fell on Thursday, falling as much as 4.6% in intraday trading. Lithia Motors Inc., Group 1 Automotive Inc. and Sonic Automotive Inc. also fell.
CDK is among a small group of companies that provide dealership management systems for car dealerships, along with Reynolds & Reynolds Co. and Dealertrack, a unit of Cox Automotive.
Representatives reported varying degrees of impact Thursday, with some saying in social media posts that they had not been affected by the hack. Others said they still experienced outages even though they were using DMS systems from CDK’s rivals.
Greg Thornton, general manager of a dealer group in Frederick, Maryland, said his stores’ CDK customer relations software had been down since Wednesday morning.
“I can only assume that CDK is working hard to resolve this,” said Thornton, whose group includes Audi and Volvo shops. “We have not had any conversations with them in person or over the phone.”
Open Road Auto Group’s 19 dealers in New York and New Jersey use Reynolds & Reynolds but have been unable to deliver new vehicles since the outage began Wednesday, said Michael Morais, president of the dealer group.
That’s because other CDK services outside of the primary DMS are also up and running, including one that connects dealers with state departments of motor vehicles for titling and registration, he said.
“We are frustrated with CDK because they should have better precautions,” Morais said.
Sam Pack’s Five Star Chevrolet outside Dallas sold four vehicles Wednesday despite the initial outage, but has had to adjust, such as handling some paperwork until service is restored, said Alan Brown, the store’s general manager. While sales staff are able to deliver approvals to lenders, the outage has blocked other elements of a transaction, such as obtaining titles.
“We’re still doing business,” Brown said. “This is just not our normal course.”
CDK has not yet given a timeline for when its systems will be available again, he said.
The National Automobile Dealers Association said Wednesday it was actively seeking information from CDK to determine the nature and scope of the cyber incident.
CDK was spun off from Automatic Data Processing Inc. in 2014, then agreed to be acquired in April 2022 by investment firm Brookfield Business Partners in an all-cash deal valued at $6.4 billion.