What happened?

Despite CDK Global’s claim of a robust three-tier cyber security strategy designed to “prevent, protect, and respond” to cyber attacks, the automotive SaaS company has faced one of the biggest headling breaches of 2024. 

Although CDK never shared how this breach began, a client lawsuit states the cause was partly because of a lack of cyber security training for employees. With this information, we can infer that the breach likely began because of a phishing or social engineering attack conducted on one of CDK’s employees. 

CDK faced two breaches in only one day, which leaked tens of thousands of sensitive customer data including SINs, financial information, and driver’s licenses. The breach also forced CDK to shut down its networks, disrupting the operations of its thousands of dealership clients. 

One customer claimed that customers were coming into their dealership, but due to the operations disruptions, their salespeople couldn’t “close deals, can’t finance the deals, or get them to the bank.” 

CDK currently faces 8 lawsuits from different dealerships that claim the operational shutdown and data leak have resulted in revenue loss and brand reputation destruction. 

Lessons to learn

Train your employees – No matter the level of expertise 

Regardless of industry or expertise, all employees should receive comprehensive cyber security training. CDK is an expert company in handling data, so they may have expected their employees to know enough to not need engaging and abundant cyber security training. 

However, even employees who specialize in IT or security can fall victim to cyber security scams. Every employee, at every level of seniority, in any industry must be trained to fight against cyber criminals. Choose engaging training that allows employees to practice techniques in a safe simulation environment. 

Check your lateral access

Once inside CDK’s network, the cyber criminals moved laterally across CDK’s network to access critical data and functions. Moving laterally across your network should not be easy – for anyone of any specialty or seniority. 

Check on your lateral movement. When someone is in your network can they access other platforms? What do your permissions look like? Are there passwords stopping them from moving across your network?

Review your incident response plan and consider every stakeholder 

Develop and maintain a thorough incident response plan that considers every stakeholder. When you are creating your response plan, think about:

• The third-parties that make you vulnerable: How you will respond if notified of a breach 
• The clients you make vulnerable: How you’ll notify them about and protect them from a breach. Plus, how you will provide help to them afterwards. 

Don’t rush

When the first breach occurred, CDK rushed to get its network back online. This was one of their biggest mistakes. Immediately the cyber criminals were able to attack again and access even more consumer data. A client  accurately compared this to, “a doctor stitching up a wound without first removing the debris.” 

Had CDK waited until everything was cleaned and checked before putting their system back online, they could have avoided the second attack. 

Learn from this that it is never a good idea to rush during your incident response. Take your time to complete all needed steps and checks before running your systems again. 

Think about how your business would function offline 

Collaborate with your operations or product team to discuss how your organization would function if systems went offline. 

• Where would you communicate internally? 
• How would you communicate with clients? Who would do the communication? When?
• How would your daily sales and operations look different?

Let the CDK breach be a lesson for all businesses to strengthen their cyber security training and review their processes and plans. CDK chose not to do these things and now faces 8 lawsuits and long-lasting reputational damage. By constantly reviewing and strengthening your security program, you can lessen the likelihood of it happening to you.