During my first years in the car business, I wore a lot of hats in each job position I had. The one thing I learned early is that the accounting office staff are often the clean up crew when several types of problems arise. There are still systems and procedure hiccups that happen today, but thanks to technology and automation they are fewer in number.
This CDK cyber attack is on a whole different level.
This breach is a very different type of problem, but in the end, when things begin to settle (which may take months), it will be the accounting office who will be tasked to gather the thousands of dealership puzzle pieces from sales, service and parts, and methodically match them up together to form some semblance of financial order.
The “End of the Month” is coming. New car dealerships are required to produce a monthly financial statement as mandated by the manufacturer and certain lenders. It’s unclear as of this writing if a June financial statement will be available. I would say the chances are slim.
Why did the CDK cyber attack happen?
There was once a company called ADP Dealer Services who were a great DMS provider. They got rolled into a company called Cobalt that sold mostly digital marketing services. Then, all of that got rolled into CDK Global and with that came private equity investments.
The first thing to get cut when private equity rolls through the front door is “cost-centers,” and Infosec (aka: Information Security) is viewed as a cost-center. The main people who defend the gates of the village (the company) from the barbarians (hackers) are the first sent off to exile.
When there is a ransomware attack, it’s revealed with clockwork-like precision that no one has tested the backups for six months and half the legacy systems cannot be resuscitated.
As a cybersecurity expert told me last week a few days after the attack happened, “It’s been at least two days since the ransomware attack with no fix in sight, which tells me a few things on this list have to be true”:
- They have no backups, or
- If they do have backups, they are outdated or never tested, which is effectively the same as having no backups.
- No one knows how to restore backups.
- There is no disaster recovery plan, or if it exists it is outdated to the point of uselessness.
- Multiple single points of failure are baked into the infrastructure.
- They have no idea how compromised they are.
I am very angry about how ADP Dealer Services, a once great company, has been raped and pillaged by private equity.
The real pain is suffered by the rank and file at dealerships, who still have to care for customers and sell to make a paycheck.
According to recent reporting, CDK will be paying the tens of millions of dollars in ransom. Here’s a short video about how these ransomware attacks roll out. This certainly this won’t be the last.
Let’s not absolve the “Preferred Vendor” program in this debacle.
New car dealerships are franchises and the manufacturer is the franchisor. Each manufacturer has a “Preferred Vendor” program where vendors apply to be included on the list. It was my understanding that it’s a rigorous process that also entails paying a fee. In my experience, the program is anti-innovation because many start-ups and smaller vendors don’t have the budget to pay the fees that the big guys do.
Many times, the preferred vendor’s dealer pricing is higher than a non-preferred vendor (and in my opinion, the preferred vendor’s product quality is often not on par with the non-preferred vendor products and services).
Why then would a dealer choose a preferred vendor over a non-preferred vendor? Two reasons:
- Because the “Preferred Vendor” program is marketed as pre-vetted vendors (so there’s an assumption of higher quality and trust, which in practice, may or may not be the case).
- When the dealer chooses a preferred vendor, there is a financial incentive. The dealership can often recoup some of that expense through the manufacturers “Co-op” program.
CDK is a “Preferred Vendor.”
The glaring question that needs an answer now is where were the security audits for this vendor?
Why wasn’t there a regular monitoring of this vendor to ensure their product was worthy of preferred status? Or, if there was regular monitoring, it’s clear now that the monitoring protocol is sorely lacking.
How did the CDK cyber attack happen?
CDK is an ancient program – not a lot has been done to upgrade the original version for decades. This is standard operating procedure when companies/private equity buy legacy companies. Innovation is not the goal. They slap on a new paint job or buff out the dents, and package it as the “new improved version” that is always much more expensive but “worth the investment.” Ask any dealer how they feel about CDK and other DMS fees these days.
These corporate raiders’ goal is to cut costs at all costs, and in this debacle, it’s clear they stripped the car for parts and left the data vulnerable to cyber criminals.
Theoretically, a mature DMS provider should be able to lose any single critical part of your core business and be able to restore functionality within 24 hours (barring a massive natural disaster/personnel losses). Instead, they have no backups, no redundancy, no separate servers, and no siloed databases which when lost are a pain to retrieve but at least it’s only one silo and not the entire client roster of 15,000 locations.
This is simply unacceptable.
How does a dealership restore their records once the breach is contained?
Once CDK pays the ransom, it may take weeks and even months to get all the data in order after they receive the keys to the ransomware. The database will likely have holes in it that will add to the arduous restoration process.
There’s been a lot of talk online about just getting a new DMS vendor. While that seems like a good solution, the problem is that your data is being held hostage by whoever attacked CDK. Without the data, you have nothing to convert to the new DMS. But, the idea of other DMS solutions is a good one that should be explored once the dealership’s CDK records are restored.
When the dealership comes back online that’s when the fun starts for the Accounting Office.
During the outage, all employees continue to serve customers to the best of their ability, using manual documents and a patchwork of software support. When operations is functional again, all the business they produced – new and used car sales, service, parts, internals, warranty – anything that happened during the down time, will need to be assembled and manually input into the system.
It could take a few weeks or a few months to match everything up, and it will be a lot of work just to get back to “normal.”
Organization is key.
If it’s a busier store – think 150+ cars per month or over $500K in monthly service labor – it will take a considerable amount of time to input due to the sheer volume of transactions.
Vehicle inventories – new cars, used cars – will need to be counted to verify every unit’s whereabouts. Parts inventory should also be verified unless the store had some kind of redundant system that kept track of it during the outage. Untracked inventories are ripe for theft.
If all the manual input goes well (and I do mean “If”), then all entries should land in their respective GL accounts. Schedules and other GL reports should be run to determine what it all actually looks like and to make sure all the monies that were collected are posted to their respective accounts.
One surefire place to start is the bank reconciliation. If you can balance your books to your bank, you’ll have a roadmap to a decent amount of checks and balances.
It will not be pretty but with the always-present perseverance of dealership accounting office staff, it will ultimately come together.
Moving beyond this unacceptable breach of the vendor-manufacturer-dealer relationship duty.
I’m just so appalled that this event happened. When I first heard about it, I said to my colleagues, “In what universe is it okay to manage data in such an irresponsible way?”
Most dealership employees have never had to perform their job without the use of technology. It’s a strong reminder that technology is only a tool for efficiency and it’s only as good as its infrastructure and established crisis protocols.
As I mentioned earlier, and as many dealers and staff know, CDK is a “preferred vendor” by the manufacturer.
- Where were the requirements for this (and others) vendor to adhere to when a crisis of this magnitude came to pass?
- Where were the audits that a preferred vendor should pass each year?
- Who will ultimately be held responsible for this appalling failure?
There will be lawsuits, of course. The only question is how many and from whom. Certainly I would expect claims against CDK from:
- Dealers for impeding commerce and negligence in data loss (among other things).
- Consumers for the massive data breach of extremely sensitive information.
- Employees for data privacy and lost compensation.
Here’s the first one we learned of today (June 25th): Lease customer, former dealership employee sue CDK over breach Lawsuits filed in U.S. Northern District of Illinois seek class-action status and accuse CDK of negligence after the June cyberattacks.
Pro Tip: Now is a good time for dealers to contact their Cyber Liability Policy carrier. Check to see if you have Contingent Business Interruption coverage and put the carrier on notice. No need to file a claim just yet but it’s worth having a conversation to know if you’re covered and for how much.
We are only at the beginning of this debacle and my guess is there are many other attacks that are ripening as we speak.
There was a suggestion by someone online (who is not qualified to give advice about data security), that implementing local servers is a solution for data security. Let me tell you, it has been tried several times before. The outcome was never optimal and sometimes disastrous. Cyber criminals are just too sophisticated today, and dealership operational structures often don’t allow for on-site staff for this purpose only.
Dealers need to rely on their DMS vendor to secure their data – it’s a long-standing partnership. This event has betrayed that reliance and will have lasting effects.
My recommendation is to seek advice from qualified experts (not vendors or online know-it-alls) and devise a long-term, many-pronged plan for data security and breach protocols. Performing due diligence with your own expert will help you ask the right questions when interacting with vendors instead of relying on the vendor’s sales team for assurances.
If you’ve gotten this far, you might like my Kruse Control Newsletter. Get my latest car biz CFO insights, tips, exclusive content, and a bit of fun straight to your inbox. Sign up now – it’s free!