OFFICIAL PUBLICATION OF THE LOUISIANA AUTOMOBILE DEALERS ASSOCIATION

Pub. 1 2024 Issue 3

Navigating the CDK Cyber Incident

Immediate Actions and Long-Term Security Strategies

Navigating the CDK Cyber Incident: Immediate Actions and Long-Term Security Strategies

In the wake of the CDK Global cyber breach, the automotive industry is facing significant challenges and uncertainties. On June 19, CDK confirmed a “cyber incident” that led to a series of rapid and consequential actions, including shutting down various systems that are critical to dealership operations. This incident has escalated over weeks, revealing that Eastern European hackers allegedly demanded a multimillion-dollar ransom and culminating in reports that CDK may have paid approximately $25 million to end the outage.

It is crucial for dealerships to stay informed and take immediate steps to protect their data. This article provides a detailed timeline of the events, an overview of the FTC Safeguards Rule and KPA’s recommendations for navigating this crisis and enhancing your dealership’s data security.

CDK Cyber Incident Timeline

  • June 19: CDK confirms “cyber incident,” shuts down customer access to various systems, turns customer access back on and turns customer access off again.
  • June 20: It is reported that bandwagon hackers are phishing, vishing and smishing dealers while posing as CDK.
  • June 21: CDK announces that systems will be down for several days, and it is reported by Bloomberg that Eastern European hackers are allegedly demanding a ransom.
  • June 22: CDK announces it has started the restoration process. CDK identifies this as a “cyber ransom event,” and the first purported class action complaint is filed against CDK.
  • June 25: CDK notifies dealers that not every dealer will have access restored by June 30, and dealers should look for other options to close month-end.
  • July 2: CDK announces that the DMS access is substantially restored to customers, and that CDK will make notifications to the FTC (if necessary, unless a dealer opts out).
  • July 11: CNN reports that CDK likely paid 387 Bitcoins (roughly $25 million) to hackers to end the outage.

Reporting Obligations under the FTC Safeguards Rule

The Federal Trade Commission (FTC) Safeguards Rule provides a framework for dealerships and other financial institutions to protect customer information by requiring them to have certain measures in place to ensure the security and confidentiality of customer records and information.

On Oct. 27, 2023, the Federal Trade Commission (FTC) announced a revision to the Safeguards Rule, requiring non-bank financial institutions to report data breaches to the FTC within 30 days of discovering that unencrypted information of more than 500 consumers was obtained by third parties without authorization. This notification requirement went into effect on May 13, 2024, and is in addition to any state notification requirements.

Are You Required to Report this Incident to the FTC or Others?

Dealership do not know yet since CDK has not revealed exactly what has happened. While it is very likely that the hackers accessed and acquired unencrypted customer information, we do not know the extent to what customer information was accessed. In other words, dealerships have no way of knowing whether their customers’ information was compromised during the CDK cyber incident.

While CDK has worked out an agreement with the FTC that would allow CDK to report on behalf of any dealership if that dealership’s customer information was compromised, you should still gather more information before deciding to participate or opting-out. What will CDK’s message to the FTC state? Will the dealership have any obligations to follow up on requests from the FTC? Will CDK indemnify the dealers for any mistakes or errors?

Additionally, states have their own notification laws, and the agreement between CDK and FTC does not address those state-level requirements.

Regardless, if you have not already done so, you should notify your insurance company and put them on notice of this incident, even if not making a claim, to avoid arguments by the carrier that a notification delay caused prejudice to the carrier. The carrier will also be helpful in the notification process if necessary.

Nevertheless, stay informed because date breach notification time frames are very narrow.

Tips for Data Security at Your Dealership

Ensuring the security of your dealership’s data is more crucial than ever. Evaluate how your organization protects user data and consider steps to enhance its security. Here are some essential tips to keep your dealership’s data secure:

  • Create Secure Passwords: Strong passwords are the first line of defense against unauthorized access. Use long passwords with a mix of uppercase and lowercase letters, numbers and special characters.
  • Set Up Multifactor Authentication: Multifactor authentication (MFA) adds an extra layer of protection by requiring multiple forms of verification, making it significantly harder for unauthorized users to gain access. With MFA, even if one credential is compromised, additional authentication factors can prevent attackers from accessing all sensitive information.
  • Encrypt Your Data: Data encryption transforms readable data into an unreadable format, ensuring that even if unauthorized parties gain access to the data, they cannot interpret or misuse it without the decryption key. Customer data must be encrypted at rest and in transit on the networks and systems that you use.
  • Identify and Address Phishing Messages: Phishing attacks are a common method for cybercriminals to gain access to sensitive information. These attacks often involve deceptive messages that lure individuals into clicking malicious links. Ensure your employees are educated on how to recognize and avoid phishing attempts. Test their skills with tools like Google’s phishing quiz at phishingquiz.withgoogle.com.
  • Minimize Public Wi-Fi Use: Public Wi-Fi networks are often unsecured, making them prime targets for cyberattacks. Encourage your employees to avoid using public Wi-Fi, especially when accessing company data. Provide secure private Wi-Fi in the workplace to reduce the risk of data breaches.
  • Back Up Your Data: In the event of a data breach, having backups of your data is essential. Regularly back up your data to ensure that you can recover important information if it is compromised. This practice can mitigate the impact of a breach and help maintain business continuity.
  • Partner with a SOC Compliance Vendor: SOC compliance refers to the set of standards and regulations that companies must adhere to ensure the security, availability and confidentiality of their customers’ data. Working with a vendor who is certified SOC-compliant can bring several benefits to your business. SOC compliance ensures that the vendor has established and implemented adequate controls to protect sensitive data and assets.

By implementing these tips, you can strengthen your dealership’s data security and build trust with your clients.

Ensure You Are Safeguard Compliant

Need a partner in complete compliance? KPA is here for you! KPA Privacy & Safeguards software offers a comprehensive solution specifically designed for automotive dealerships to ensure complete compliance, protect customer data and streamline operations with a guided 10-step approach.

Our robust 10-step compliance framework includes customized legal policies, technical safeguards and regular assessments to mitigate risks and ensure compliance. We’re your partners in true, complete compliance. Please reach out to us at info@kpa.io, by visiting kpa.io/automotive, or by giving us a call at (866) 856-1735.

Get Social and Share!

Sign Up to Receive this Publication in your inbox

More In This Issue