The fallout from a cyberattack targeting CDK Global, a software provider for more than 15,000 car dealers across North America, is spreading as more customers disclose potential material impacts.
At least five publicly traded car dealerships filed disclosures with the Securities and Exchange Commission since Friday. Sonic Automotive and Penske Automotive Group warned investors of potential impacts on Friday. Autonation, Group 1 Automotive and Lithia Motors filed with the SEC Monday.
All five companies said CDK notified its customers of an outage in response to a cyberattack on June 19. CDK expects to restore its dealer management system within several days, not weeks, according to Group 1 Automotive.
CDK, which shut down some of its systems on Wednesday after discovering the attack, was not immediately available to comment.
The widespread impacts from an attack on a single software as a service vendor with a strong market share in a major industry spotlights a persistent problem in cybersecurity.
Damage from a cyberattack on one company often escalates and quickly hits downstream customers.
The group of car dealers, some of the largest in North America, filed very similarly worded disclosures with the SEC. The businesses said they remain open and are using workarounds to minimize disruption.
Dealers use CDK’s hosted dealer management system for sales, customer relationship management, inventory and accounting functions.
“While this incident has had, and is likely to continue to have, a negative impact on the company’s business operations until the relevant systems are fully restored, the company has not yet determined whether the incident is reasonably likely to materially impact the company’s financial condition or results of operations,” Lithia Motors said in its SEC filing.
CDK was acquired by private equity firm Brookfield Business Partners in a deal valued at $8.3 billion in April 2022.