CDK Global Cyberattack

CDK Global Cyberattack, FTC Safeguards, and How SpearTip Can Help

Chris Swagler | June 20th, 2024


A global car dealership SaaS (Software as a Service) Provider, CDK Global, was hit with a cyberattack affecting dealership operations, including CRM (Customer Relationship Management), financing, payroll, support and service, inventory, and back-office operations. Other reports indicate an additional attack in conjunction with the first.

What we now know is that CDK Global experienced an incident on June 18 which disrupted business operations of over 15,000 dealerships in North America. While SpearTip is not directly involved with ongoing Incident Response or Recovery efforts, we have learned that CDK had restored partial services Wednesday, June 19, only to fall victim of a second attack later that evening.

There are unverified reports that a small percentage of dealerships believe the threat actors were able to directly access their systems through this breach. With this information, SpearTip recommends that dealerships take the following actions:

  • Change or update passwords on as many devices and accounts as possible, even if they may not be directly associated with CDK software.
  • Have employees uninstall CDK software from cellphones/mobile devices.
  • If possible, shut down all computers with CDK software on them. At a minimum, disconnect those computers from the internet (disconnect from CDK Always-On VPN and shutdown/kill Adaptiva Endpoint).
  • Once the systems come back online for any of your CDK-connected systems, changing any and all passwords is highly recommended.


The CDK software running on devices has administrative privileges to update systems, which is why we are recommending disconnecting from the data centers. This level of access could allow the threat actors unrestricted access to a dealership’s systems and data.

All dealerships should be on heightened guard as the CDK breach may lead to increased threat actor actions in an already frequently targeted industry. This increased attention by threat actors may lead to business email compromise, wire fraud, account takeover, data exfiltration, and/or ransomware attacks.

Important Notice:

Dealerships should remain vigilant when contacted by anyone claiming to be a CDK agent or representative, as there have been reports of dealerships being called for information to attempt to gain access to systems. CDK has released a statement to their customers to inform them that CDK is not contacting customers directly.

Daily reporting indicates that the majority of dealerships affected by the CDK breach are not operational. CDK provides the main software allowing those businesses to function. This highlights the very real need for an Incident Response Plan, Business Continuity Plan, Disconnected Backups and regular testing of those backups.

With the recent spike in attacks against automotive dealerships, we at SpearTip are actively tracking this compromise and working with our clients to inform them of this activity, spread awareness and provide key prevention measures.

FTC Safeguards

Given dealerships are now included in the FTC Safeguards Rule for compliance, this incident may impact dealerships at a higher level than strictly operational downtime. In order to comply with the Safeguards Rule, SpearTip has developed an FTC Safeguards Assessment and services to enable your organization to be appropriately equipped to abide by the regulation.

See the eCFR (Electronic Code of Federal Regulations) here:

The three main objectives of an information security plan are:

  1. Ensuring the security and confidentiality of customer information
  2. Protecting against anticipated threats or hazards to the security or integrity of that information
  3. Protecting against unauthorized access to that information that could substantially harm or inconvenience to any customer


Reminder for reporting requirements: 

  • Report to the Board of Directors or Governing Body.
  • Require your Qualified Individual to report to your Board of Directors or governing body in writing, at least annually. If your dealership doesn’t have a Board or equivalent, the report must go to a senior officer responsible for your information security program.


Reporting should address:

  • An overall assessment of your company’s compliance with its information security program
  • Specific topics related to the program, such as risk assessment, risk management and control decisions, service provider arrangements, test results, security events, how management responded, and recommendations for changes in the information security program


While the rules and regulations may seem burdensome to businesses used to manufacturing and selling automobiles, the required cybersecurity measures are at the core of SpearTip‘s operational mission, and we’re able to assist and provide guidance on best approaches to abide by the Safeguards Rule. Our tools and services include:

  • Fully managed unified threat management: Our cybersecurity platform is designed for continuous threat monitoring that combines automation via our vast threat intelligence and our experienced team.
  • Enterprise-grade security tools: Our ShadowSpear Platform is a fully managed cybersecurity solution powered by our 24/7/365 Security Operations Center (SOC).
  • 24/7/365 U.S.-based SOC: Our 24/7/365 SOC is staffed with certified engineers and security analysts who engage in active monitoring, rapid response, and real time threat remediation.
  • Cyber risk assessments and training: Our advisory, implementation, training and service-based risk assessments are tailored to meet your business needs. They extend beyond standard audit or compliance checks, as we work to help ensure your organization and your clients are optimally protected against all manner of cyber threats.
  • Rapid Incident Response (IR) & disaster recovery: SpearTip has over 18 years of IR and disaster recovery experience. We can quickly respond to an attack, isolate threats, reclaim your network and restore operations with minimal downtime.


For any general questions or inquiries about this incident or how we can help prevent or prepare your organization for a cyberattack, email us at or call 1-800-236-6550. If you’re currently experiencing an incident, email or call 1-833-997-7327.

As this incident is ongoing, we’re actively working to update this document with any helpful information and additional findings. (Last update: June 21, 11:15 AM CST.)


Connect With Us

Featured Articles

Defend the Global Supply Chain
Resolve to Strengthen and Defend the Global Supply Chain
15 July 2024
Mitigate Cyber Risk
Mitigate Cyber Risk by Building a Security Program Focused on the Basics
15 July 2024
Managing Third Party Risk
Managing Third-Party Risk Poses Significant Challenges for Contracting Businesses
11 July 2024
effective healthcare
Effective Healthcare Requires Strengthened Cybersecurity for Patient Care and Protection
11 July 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.