Auto retailers across the U.S. are likely to be out of service for days following a second major cyberattack at CDK Global, the software provider that thousands of dealers rely on to run their stores.
“At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available likely for several days,” the company said in a communication sent to customers on Thursday that has been reviewed by Bloomberg.
A CDK spokesperson did not immediately respond Thursday to an email and phone message inquiring about the message it sent to customers.
CDK informed customers Thursday of the incident, which occurred late the prior evening. The company shut down most of its systems again, initially saying that its dealers’ systems “will not be available at a minimum on Thursday.”
On what otherwise would have been a busy U.S. holiday for business, dealers reliant on CDK were unable to use its systems to complete transactions, access customer records, schedule appointments or handle car-repair orders. The company serves almost 15,000 dealerships, supporting front-office salespeople, back-office support staff and parts-and-service shops.
The outage also extended to hundreds of dealerships in Canada, with retailers relying on pen and paper to work on deals, said Tim Reuss, president of the Canadian Automobile Dealers Association. Those transactions will eventually need to be logged digitally once the systems are back online, he said.
“There’s going to be a bit of a hangover from this incident,” he said.
AutoNation Inc. led shares of publicly listed dealership groups lower Thursday, falling as much as 4.6% in intraday trading. Lithia Motors Inc., Group 1 Automotive Inc. and Sonic Automotive Inc. also slumped.
CDK is among a small cadre of companies that provide dealership management systems to auto retailers, along with Reynolds & Reynolds Co. and Dealertrack, a unit of Cox Automotive.
Dealerships reported varying degrees of impact on Thursday, with some saying in social media posts that they were unaffected by the hack. Others said they still experienced disruptions even though they used DMS systems from CDK’s rivals.
Greg Thornton, the general manager of a dealership group in Frederick, Maryland, said his stores’ CDK customer-relations software had been down since early Wednesday morning.
“I can only assume that CDK is working all hands on deck to resolve this,” said Thornton, whose group includes Audi and Volvo stores. “We’ve had no conversations with them in person or over the phone.”
Open Road Auto Group’s 19 dealerships in New York and New Jersey utilize Reynolds & Reynolds but have been unable to deliver new vehicles since the outage began Wednesday, said Michael Morais, president of the dealer group.
That’s because other CDK services outside the primary DMS are also down, including one that links dealerships with state motor-vehicle departments for titling and registration, he said.
“We’re frustrated with CDK because they should have better precautions,” Morais said.
Sam Pack’s Five Star Chevrolet outside Dallas sold four vehicles on Wednesday despite the initial outage, but has had to adapt, such as by handling some tasks on paper until service is restored, said Alan Brown, the store’s general manager. While sales staff are able to submit approvals to lenders, the outage has blocked other elements of a transaction, such as obtaining titles.
“We’re still doing business,” Brown said. “It’s just not our normal flow.”
CDK hasn’t yet provided a timeline for when its systems will be available again, he said.
The National Automobile Dealers Association said Wednesday it was actively seeking information from CDK to determine the nature and scope of the cyber incident.
CDK was spun off by Automatic Data Processing Inc. in 2014, then agreed to be acquired in April 2022 by the investment company Brookfield Business Partners in an all-cash deal valued at $6.4 billion.