CDK Global is facing at least eight lawsuits from auto dealers over cyber attacks that shut down the software provider’s dealer management systemwhich jeopardized the activities of car dealers.
The plaintiffs, employees and customers of auto dealerships that use CDK tools, allege that CDK failed to adequately protect its customers’ data and that the personal information of tens of thousands of people was likely exposed in the hack.
Omar Aviles, a Tucson, Arizona resident and employee of Asbury Automotive Group, one of CDK Global’s approximately 15,000 customers, has filed a class action lawsuit against the Illinois-based company, alleging that the company failed to protect “a list of highly sensitive, personally identifiable information” it stored about former and current auto dealership customers and their clients and employees.
According to the complaint, filed in Illinois court, the trove of data was exposed because CDK’s computer systems were “inadequately secured.”
On its website, CDK touts its cybersecurity capabilities, promising to “stop cyberattacks immediately.”
“CDK Cybersecurity Solutions provides a three-layer cybersecurity strategy to prevent, protect and respond to cyberattacks so you can defend your dealership,” the website states.
Social security numbers made public
In contrast, the lawsuit alleges that CDK “lacked effective means to prevent, detect, stop, or contain breaches of its systems — allowing cybercriminals unrestricted access to the personal information of its current and former clients.” That data included Social Security numbers, employment history, driver’s license data, financial account information, and more.
The security flaw stemmed from CDK’s own employees’ inadequate cybersecurity training, the lawsuit alleges. As a result, Aviles “feared for his personal financial safety and was concerned about what information was exposed in the data breach” and suffered “anxiety, sleep disruption, stress, fear and frustration.”
The lawsuits seek damages and better protection of customer data by CDK.
“It’s a disaster”
A second lawsuit from a group of dealers, including Formula Sports Cars, Prestige Motor Car Imports, Bill Holt Chevrolet of Canton, Bill Holt Chevrolet of Blue Ridge and several consumers, also alleges that CDK failed to protect its customers. “CDK has failed to live up to the promises and responsibilities it made in its marketing campaigns to make consumers feel comfortable,” the lawsuit says.
“It’s a disaster,” said one affected dealer quoted in the lawsuit, describing the toll the breach has taken on his business. “Customers are coming in, we sell cars but we can’t book the dealscan’t finance the deals or get them to the banks. Which means we can’t finance the cars or pay them off,” he said.
Like stitching a wound without cleaning it
After CDK was first hacked, it recovered its systems, but was hacked a second time. In their lawsuit, the dealers compare CDK’s decision to recover systems without addressing underlying security issues to “a doctor stitching up a wound without first removing all the debris.”
“Just as a wound that is not properly cleaned would lead to more infections and take longer to heal, CDK’s haste to fix the system led to more breaches and exposed auto dealers to longer periods of financial loss,” the lawsuit says.
CDK has not indicated whether it will compensate affected dealers for financial losses or potential exposure to identity theft resulting from the cyberattack. A company spokesperson did not immediately respond to CBS MoneyWatch’s request for comment on the lawsuits.
Hurricane Beryl damages and destroys 90% of homes on the island of Saint Vincent and the Grenadines
Hurricane Beryl hits Caribbean as powerful Category 5 storm
Tracking Hurricane Beryl and the July 4th Heat