Cyber Attack of Dealerships Tracking System-CDK

[userdude]

When it was ADP years ago the "servers" were in house at the dealer and we had literal tape reels that would back the data up at night. Usually the tape would go home with the office manager or locked in the safe in the event of a fire or other catastrophic event. The big sell from ADP, prior to the DMS side getting sold off twice, was we wouldn't have to worry about backups or something else wiping out the server as they had redundancy off site.

I'm not an expert on these types of crimes or how they were able to infiltrate CDK at a level to gain access. Probably a complex phishing scheme and I've heard it might have originated in the Sonic group but that's all rumor. From my understanding, nothing we're doing on our end has the ability to infect our individual server or spread to others. We have an on-site server for some shared folders (used car service records) and custom service scheduler which none of these touch the web. In order to access CDK, you either go through a secure VPN or have to physically be in the dealership and plugged in. Security on our end, while not likely not 100% secure, along with MFA and all of the other hoops is pretty tight. Each terminal has endpoint, we've all had to do 3rd party security training and constantly being breech tested by a 3rd party to make sure our people aren't opening stuff they shouldn't.

The biggest issue it CDK knew this was a possibility and didn't keep a triple backup with some sort of delay they could monitor for breeches and at least have a jump off point to allow us access to data. Maybe not full functionality but core stuff like part pricing, bin locations, stock levels, RO open and close so we can at least maintain some fixed ops cash flow. I've got about 4 new reports I'm going to create, run on a weekly basis and stored outside of CDK in case this ever happens again for whatever reason. I think the majority of people impacted are going to demand some sort of backup to stay with them going forward. Switching DMS is generally a year long ordeal and creates a tremendous number of headaches for users like myself that interact with more than just one area of the business. It's so painful, we've had people say they would take early retirement if we ever switched. Been using it for over two decades at this point and still not fluent with everything....

It is a beating. I worked at a business twenty years ago that had that exact process: backup on Iomega zip drives every night and take it home. Eventually we switched them to Norton Ghost images after a catastrophic loss (it was self inflicted, literally), because the zip process was never tested and when it came to it, it didn't work. The tapes were blank.

When you're in the jaws of the animal, anything is possible if it's less pain than death. But in placid times, or difficult times for other reasons, it can be too much to want to do what needs to be done. And vendors can sell one-stop "relieve the pain" type solutions that hide the details and are an invisible exposure.

There are no easy solutions, so I hope y'all find something workable that gives you the earned assurance you're prepared if and when it does happen. I think all of 6g is pulling for you.

Sponsored

 

[userdude]

Admittedly it's a difficult problem for a small/medium business to solve.

One of the reasons why you pay for a SaaS product like CDK is because it simplifies your business continuity planning. You are effectively paying another company to handle and backup your business data. So, for example, if you're dealership gets hit by a fire or a weather event, all of your business data is safe. This was a huge worry back when CDK was known as ADP and the servers were (usually) housed at the dealership itself, and I know many dealership owners were happy to off-load that complexity to CDK themselves.

But that's the problem overall. It's practically impossible to know where to draw the line and say"okay we've done enough, and we've spent enough money on ensure business continuity". Because once you think you've done enough something will happen, and now you realize you may have to hire someone else and spend more money to help you do the things you thought your SaaS provider like CDK was doing.

It's very hard, almost like running a shadow company. Not many companies are willing to go to the lengths it might take to survive a catastrophe by being fully prepared, especially due to costs associated with it but also it's drudgery and thankless.

And the IT vendors oversell their ability to run their operations at a high degree of fail safe since it's often easier and more profitable to simply obscure or deny problems, or worse sell them as advantages like "we'll take care of it all for you". And then too late you realize they can't.

 

[vrtical]

And the IT vendors oversell their ability to run their operations at a high degree of fail safe since it's often easier and more profitable to simply obscure or deny problems, or worse sell them as advantages like "we'll take care of it all for you". And then too late you realize they can't.

IT vendors in general use customers as test beds and when it comes to SLAs its playing roulette.

 

[userdude]

IT vendors in general use customers as test beds and when it comes to SLAs its playing roulette.

This is very true. When I working with emergency planners, we tried getting the facilities contracts people to add resiliency clauses and periodic table tops to demonstrate and we were told we wouldn't get any bids. And this was in areas people assumed there was resiliency.

 

[Patrickgault]

Makes me want to get an old Bronco with points and a carburetor. I don't trust the reliability of tech these days.

 

[moisea]

Finally got my Hardtop. Went to see it yesterday. Will be going in Wednesday for the install. The order status updates on the Ford Accessories website are no good. It’s still not showing delivered. Instead I got an email. If your status is not being updated do not lose hope.

 

[userdude]

Looks like the attack is over, although there may be a lot of paperwork and other drudgery in store for dealer employees.

https://arstechnica.com/cars/2024/0...is-mostly-over-after-2-weeks-of-work-arounds/

Sponsored