CDK Global, a leading provider of dealership management systems, has confirmed that the cyberattacks in June that led to the shutdown of its systems across North America did not result in the theft of dealership employee or consumer data. After third-party experts conducted a thorough review, CDK reported that there was no compromise of personally identifiable information, meaning dealerships do not need to notify employees or customers of any data breach.
The attacks, which occurred on June 19, forced CDK to shut down its dealership management system (DMS) for two weeks, impacting approximately 15,000 dealerships. During this time, car dealerships had to rely on pen-and-paper methods and third-party software to maintain operations, causing disruptions and financial losses during a critical sales period. CDK provided a one-month rebate to affected customers, although some dealerships felt that this compensation was insufficient.
CDK had previously stated that it would handle Federal Trade Commission Safeguards Rule requirements on behalf of dealerships if the attacks had involved data theft. The Safeguards Rule mandates that car dealerships and other financial institutions notify the FTC within 30 days of discovering a security breach affecting 500 or more customers.
Nevertheless, the agency has not disclosed the specifics of the cyberattacks or the preventive measures it is taking, despite confirming that no data was compromised, which brings some relief. The announcement also leaves uncertainty about the impact on pending lawsuits filed by dealership employees and customers, who have alleged that the cyberattacks put their personal data at risk.
