Car Dealers Reel From Cyberattack on $1.2 Trillion Market

(Bloomberg) -- A dealership in Phoenix is handwriting paper contracts and gauging creditworthiness with guesswork. A Jeep owner in Alabama keeps calling about when a replacement part will be in stock. A family in New Jersey is waiting for word on when they can take delivery of their new Audi.

Such is life for auto retailers and their customers across the US and Canada after CDK Global — a software provider to some 15,000 dealers — was waylaid by debilitating cyberattacks. The barrage began June 19, costing US dealers a burst of business on a federal holiday. CDK has warned that a second incident Thursday is likely to keep its systems down for several more days.

The attacks have had a crippling effect on an industry that topped $1.2 trillion in sales last year just in the US, and is in the thick of an end-of-quarter sales push. CDK’s core product — a suite of software tools referred to as a dealership management system, or DMS — underpins virtually every element of auto retailers’ day-to-day business.

“It’s just mass chaos at this point,” Diana Lee, the chief executive officer of Constellation, a social media agency that works with auto dealerships across the US, said on Bloomberg Television. “The dealer’s required to actually run a DMS for sales, service, parts, for every single functionality — even stocking a vehicle, you can’t do it without the DMS system. So it is a disaster.”

Related:Hackers Demand as Much as $5 Million From Snowflake Clients

CDK hasn’t said who or which entity is behind the intrusion, but it did issue a warning to customers Thursday evening that people are reaching out to customers and attempting to capitalize on the confusion.

“We are aware that bad actors are contacting our customers, posing as members or affiliates of CDK, trying to obtain system access,” the company said. “CDK associates are not contacting customers for access to their environment or systems. Please only respond to known CDK employees and communications.”

There are only a handful of DMS companies for dealers to choose from after decades of consolidation within this corner of the car-retailing industry. As a result, thousands of stores are highly reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.

CDK’s parent, Brookfield Business Partners LP, had its worst trading day since October — plunging 5.7% on Thursday — and extended its decline Friday. Shares in dealer groups AutoNation Inc., Group 1 Automotive Inc. and Sonic Automotive Inc. also slumped.

In the meantime, CDK competitor The Reynolds and Reynolds Co. said it’s on the lookout for things it can do “quickly” for affected dealerships.

Related:London Hospitals Knew of Cyber Vulnerabilities Years Before Hack

“Our industry is under attack,” Christopher Walsh, the company’s president, said in a comment posted to LinkedIn. “The impact of this goes far beyond CDK – it is hurting a lot of dealers and consumers as we enter the peak of summer.”

Representatives for Ford, Volkswagen, Mercedes-Benz and BMW confirmed some of their dealers use CDK and said they’re working with those affected by the disruption. Other car companies didn’t immediately respond to requests for comment.

For Joshua Adams, the Jeep owner in Millbrook, Alabama, CDK’s outage comes at an inopportune time. He’d already gone weeks without his 2020 Renegade sport utility vehicle as he waited for a warranty claim to be sorted out.

This week, he called his dealership to check if the final part needed to fix his vehicle had arrived, as expected. The service center was unsure, saying it was impossible to know because of the hack.

“They can’t tell me where my part is or when it will arrive,” Adams said. “We are just up in the air.” He expects the delay will cost several hundred dollars in additional expenses for a rental car he’s driving in the meantime.

In New Jersey, the Lanni family was excited to take delivery of a new Audi Q5. Daniel Lanni and his wife had removed the child seats from their old vehicle so they’d be ready for plopping into the new SUV. But on June 19, their dealer called to say the store’s computer system was down, and it wasn’t clear when they’d be able to take delivery.

Lanni and his wife re-installed the car seats for their children – ages 3, 5 and 8 – and said they hadn’t heard more from the dealer as of Thursday afternoon.

“The kids were really excited,” said Lanni, a 41-year-old commercial real estate broker. “They’re upset and now they’re just regularly asking about it.”

Alex Padron, a sales manager at a Nissan dealership in Phoenix, said that business was “almost at a standstill” on Thursday. Everyone who’s purchased a vehicle from the store since 2014 — when it began using CDK’s software — has data stored in the system, he said.

“It’s probably more than 50,000” customers, he said.

The dealership is now handwriting paper contracts and finding novel ways to get deals done. He said workers in the finance department have had to “guess” customers’ creditworthiness based on “whatever information they can gather.”

Since the attack began, the dealership has been able to process about half the transactions it usually can. Anything complicated — say, a purchase involving a trade-in or unusual financing — simply can’t get done.

“For this store, I’d like to have 10 complete deals done a day,” Padron said. “Five, six, seven would be nice today.”