If you ran a dealership in June 2024, you remember it. The screens went dark, and they stayed dark. The CDK ransomware attack on dealerships took out the software that runs sales, service, and financing for thousands of lots, and it did not come back for nearly two weeks.
The big takeaway was not "patch your software." It was simpler and more uncomfortable: dealers are targets, downtime is existential, and being small does not make you safe. It often makes you easier to hit.
What happened, and how long it lasted
On June 18, 2024, the BlackSuit ransomware group hit CDK Global, whose dealer management system roughly 15,000 dealerships across the United States and Canada rely on. CDK took its systems offline. A second attack on June 19 set the recovery back further. Many dealers reverted to pen and paper for nearly two weeks, with full restoration completed around July 4. Reports indicate that about 25 million dollars in bitcoin moved to the attackers around June 21, although CDK never publicly confirmed paying a ransom. The Anderson Economic Group estimated the attack cost dealerships more than one billion dollars collectively.
What made it worse was the repeat. CDK had begun bringing systems back when a second intrusion on June 19 forced it to shut everything down again, which is part of why a days-long problem became a two-week one. For dealers, there was no switch to flip and no alternative to log into. The work that runs a dealership, pulling a customer's credit, printing a deal, scheduling service, ordering parts, simply stopped, and stayed stopped, across thousands of lots at the same time.
The lesson is in the dependency. When one vendor goes down, every dealer on it goes down at the same time, and there is nothing an individual lot can do but wait. Independents are not too small to be hit. They are easier to hit, because the security that slows attackers down is usually the thing nobody at a small lot owns.
Why independents are softer targets
It is tempting to read the CDK story as a big-vendor problem. The opposite is closer to the truth. Attackers do not pick targets by prestige. They pick by ease.
A small lot tends to have shared logins, no MFA, one person who "handles the computers," backups that were set up once and never tested, and no plan for the morning everything is locked. None of that is a moral failing. It is what happens when the owner's job is selling cars, not running security.
But to a ransomware crew running automated scans across the internet, an unprotected dealership looks the same whether it sells forty cars a month or four thousand. There is a comforting story owners tell themselves, that a small used-car lot is not worth a hacker's time. It is the wrong story. Modern ransomware is not hand-aimed at famous targets. It sweeps the internet looking for any door left unlocked. A two-person lot with one shared login and no MFA is a softer, faster payday than a hardened enterprise, and the crews running these campaigns know it. Being overlooked is not a security strategy. It is luck, and luck runs out.
What two weeks offline actually costs a small lot
For a 15,000-store outage, the headline is a billion dollars. For your lot, run the math at your own scale. Two weeks without the DMS means deals you cannot close or fund, service tickets you cannot process, payroll and parts you still owe, and customers who walk to the dealer down the road that is still running. Add the recovery costs (IT help, overtime, possible breach notification) and the trust you spend explaining the outage to every customer. A small dealership does not have a billion-dollar balance sheet to absorb that. The downtime is the damage, and for an independent it can be the kind you do not fully recover from.
There is a compliance angle too. The FTC Safeguards Rule requires covered dealers to notify the FTC within 30 days of discovering a breach that affects 500 or more people. So an incident is not only an operational problem. It can start a regulatory clock at the same time. And the costs do not stop when the systems come back. Customers who had a bad experience during the outage remember it. Deals that fell through during those two weeks do not all come back. The reputational cost is real even if it never lands on an invoice, and for an independent that competes on trust and word of mouth, that may be the most expensive part of all.
The basics that stop most attacks
Here is the part that should be reassuring. Most ransomware does not get in through some genius exploit. It gets in through a stolen password or a phishing click, then spreads because nothing was there to stop it. The basics that block the majority of attacks are unglamorous and achievable:
- MFA on email, remote access, and the DMS, so a stolen password is not enough by itself.
- EDR or MDR on every machine, so malicious behavior gets caught and the machine isolated fast.
- Tested, immutable backups, so you can restore instead of negotiate.
- A written incident response plan, so the first hour is not improvised.
- Staff training, because the click is still the front door.
None of this requires you to become technical. It requires someone to own it, watch it, and keep it working.
Have a team before you need one
The dealers who came through CDK best were the ones who had recovery options and a plan, not the ones who scrambled. You cannot control whether a vendor gets hit. You can control whether your own lot has the basics in place and someone watching. Flynaut becomes your IT and security team: we put the controls in, monitor them, test the backups, and keep the plan ready, so the next bad headline is something you read, not something you live.
You do not get a warning before a vendor or an attacker tests your defenses, so the only useful time to fix the basics is before that morning, not during it.
This is not legal advice; confirm your specific obligations with counsel.
Book a free FTC Safeguards readiness check
Sources & notes
Reporting on the June 2024 CDK Global attack, including CNN, CyberScoop, and TechTarget; ransom amount reported but not confirmed by CDK; collective dealer loss estimate from the Anderson Economic Group; FTC Safeguards Rule breach-notification requirement (notify within 30 days of a breach affecting 500+ consumers).
Related reading
What the FTC Safeguards Rule Actually Requires · Nine Controls for a Cyber Insurance Renewal · The Real Cost of Ignoring FTC Safeguards
