Ripples from the recent ransomware attack on auto dealership software provider CDK Global have spread to the independent collision repair shops that buy OEM parts from their local dealerships, and are now struggling with a supply chain disruption on a scale not seen before.
“It’s caused huge disruptions -- massive problems across the country,” said Beau Bennett, owner of Kious Kountry Auto Collision Center Inc., a 16,000-square-foot shop in Waukon, IA, that relies on two local dealers for parts, as “95% of the parts I put on are OEM,” he said.
Bennett had to immediately boost liability insurance as the number of vehicles stored onsite at his shop grew, held up by the sudden inability to get some of the parts to finish them -- a $100,000 GMC Denali is waiting on door clips, which nobody is sure are in the warehouse.
Since the attack, he has been able to take delivery of “$20,000 worth of parts, and it’s on a paper ticket” because dealer computers are down, forcing them to revert to manual processes, causing significant operational slowdowns and customer service delays.
“It’s not [dealers’] fault,” Bennett said. He’s worked with his vendors for 30 years and intends to stick with them.
Hack Attack
In the late night hours of June 18, continuing through June 21, Illinois-based CDK Global Inc., a software and data provider to 15,000 automotive dealerships, was hit by several cyberattacks, leading CDK to shutter its system, including software, data centers and phone lines.
Bloomberg set the value of the affected market at $1.2 trillion and reported an Eastern European group, later identified by several sources as BlackHand, launched the attack and sought an eight-figure ransom to end it. A U.S. cybersecurity agency said BlackHand shares code with another group in return for a cut of the cash. Fortune magazine and others have recently reported CDK would pay, but CDK hasn’t confirmed this.
“We have begun the restoration process,” CDK spokesperson Lisa Finney said in a statement. CDK initially said in media reports it would be “days not weeks” until service was restored, but Reuters reported CDK will not be fully online with all dealers until at least the end of June.
Publicly traded companies issued press releases noting they were “using alternative processes” until CDK is back. This included, as Bennett has experienced, a pen-and-paper approach.
Workarounds
Cliff Steinhauer, director of information security and engagement at National Cybersecurity Alliance in Washington, D.C., warned against a “decrease in workflow due to delayed parts shipments and service approvals" in an email to Autobody News.
Bennett said it hasn’t come to that for his shop. “I’m sitting on five or six weeks of work,” he said. “But it definitely disrupts the workflow.”
He’s gone from next-day parts delivery to who knows when. The two dealerships Bennett works with are a large one he estimates holds between $4 million and $12 million in warehouse inventory, and a smaller local one. Even the latter, not on the CDK system, was affected when it gets parts from the larger one.
Bennett is part of a buying group of 24 independent shops in Iowa, Wisconsin, Minnesota and South Dakota, and all are feeling the effects.
“Every shop in Iowa is being affected,” he said. “We have three major dealerships in the state which supply 75% to 80% of the parts” to Iowa shops.
Irony, Insurance
Body shops weren’t the target of the ransomware attack, but they’re feeling the aftershocks.
“It’s hard to plan for a supply chain disruption of this magnitude,” Bennett said.
Those directly affected are starting to.
After CDK is back online, dealerships will review data to ensure accuracy and public companies will total the costs of the shutdown. Toronto private equity firm Brookfield Business Partners paid $8.3 billion for CDK in 2022; the publicly traded parent of the PE firm lost 6% of its market cap after the attack. Ironically, a CDK survey that year reported on by Autobody News noted an increase in cybercrime against car sellers.
Steinhauer said CDK advises “dealerships to prepare for an extended recovery period.” He said dealers should “implement robust backup systems and diversify IT infrastructure, to reduce reliance on a single provider.”
Cyber insurance might also be an option. Insurer CFC notes such coverage can apply to loss from ransomware, and while cybersecurity policy writing slowed in 2023, according to an insurance trade magazine working from AM Best figures, this followed three strong years of growth, to about $7.2 billion in the U.S. last year, as ransomware attacks increased, and a new “cyber risk management company” was this year spun out of London-based insurer Beazley.
Paul Hughes