Auto dealerships have been taken for a wild ride, as selling and servicing cars have become a nightmare across showrooms and service bays across the U.S. and Canada.
For nearly two weeks, automotive dealerships and service shops using CDK Global’s dealership management system software (DMS) have been running on limp mode, forced to adapt to drastic measures as its primary product was taken offline in response to extensive cyberattacks.
However, light is at the end of the tunnel for CDK and the dealers it serves, but not without some consequential legal grievances that may see dealers and the software providers in a courtroom.
Related: Analysts have a bleak outlook for car dealers after CDK cyberattack
Used Ford vehicles for sale at a dealership in Colma, California, US, on Friday, June 21, 2024. CDK Global, a software provider to some 15,000 car dealers, was waylaid by debilitating cyberattacks this week that have had a crippling effect on the auto sales industry. Photographer: David Paul Morris/Bloomberg via Getty Images
On July 1, CDK told its customer network of dealerships that it expects to restore service sometime within the next few days, as the critical Independence Day sales holiday inches too close for comfort.
“We are continuing our phased approach to the restoration process and are rapidly bringing dealers live on the Dealer Management System,” it said in a statement. “We anticipate all dealers connections will be live by late Wednesday, July 3 or early morning Thursday, July 4.”
The fallout from the cyberattack — now confirmed as a ransomware attack — has already made its mark on automakers. In a statement released early on July 2, Hyundai (HYMLF) and sister company Kia reported lower June U.S. sales compared to the same month in 2023, which it attributes to the cyberattack and outage.
Hyundai Motor America CEO Randy Parker, said in a statement that its dealers have been resilient “in the face of yet another industry crisis.”
This development comes as analysts from J.P. Morgan predict that some of the largest publicly traded auto dealer groups will see a 7% to 10% hit on earnings per share once the results of Q2 2024 earnings come in. The six dealer groups cited in the report; the Asbury Automotive Group (ABG) , AutoNation Inc. (AN) , Group 1 Automotive Inc. (GPI) , Lithia Motors Inc. Lithia , Sonic Automotive Inc. (SAH) and Penske Automotive Group. (PAG) all use CDK’s DMS software in some way or form.
More Automotive:
Maserati exec defends the use of a car feature drivers hateFeds are skeptical about the safety of popular driver-assist techYoung guys who like loud cars are likely to be psychopaths, study suggests
Legal troubles
A customer looks at vehicles for sale at an AutoNation Toyota dealership in Hayward, California, US, on Monday, June 24, 2024.
Though the light at the end of the tunnel is shining through for CDK Global, the positive news does not negate the fact that several lawsuits have been filed by disgruntled dealerships, service shops and auto buyers as a result of the cyberattack.
On June 25, Illinois-based independent body shop Jay Kay Collision Center filed a lawsuit against CDK Global in the U.S. District Court for the Northern District of Illinois, claiming that the outage made it difficult for the shop to order parts and conduct its business.
As per Automotive News, the suit seeks class-action status, seeking to extend an olive branch to anyone in the U.S. “who used or relied on Defendant’s services, and were injured as a result of the Data Breach.”
“The outage has caused a delay in critical business functions and disruption to businesses inflicting substantial costs to develop workarounds, and has potentially exposed their sensitive personal and financial information to criminals,” it states in the lawsuit.
In a separate lawsuit requesting class action status filed on June 30 in the U.S. Southern District of Florida, Florida-based Formula Sports Cars and Prestige Motor Car Imports, Georgia-based Bill Holt Chevrolet of Blue Ridge and Florida residents Annie Ortiz and Alexis Pino seeks to represent other dealers and auto retail employees .
The collective alleges that the incidents related to CDK has compromised private data and information and harmed the businesses of auto dealers and its employees.
“This negligence has led to significant breaches affecting countless individuals across the United States who have purchased or serviced a vehicle or work at any business location with their personal data stored and accessible within the CDK systems,” the suit said.
“The repercussions of this failure are far-reaching, exposing sensitive information to cybercriminals and causing irreparable harm to the reputation and trust of the affected parties.”
In the suit, the two Florida-based auto buyers; Annie Ortiz and Alexis Pino, claimed that the two bought vehicles from dealerships where CDK software was used and were required to surrender information “directly or indirectly” to the software company, which include “their name, addresses, social security numbers, driver’s licenses, and financial details like credit card number and bank account information.”
Related: Veteran fund manager picks favorite stocks for 2024