Car dealers stuck in the slow lane after cyber woes at software biz CDK

The number of US companies filing Form 8-Ks with the Securities and Exchange Commission (SEC) and referencing embattled car dealership software biz CDK is mounting.

Reports filed since Friday all mention the fact that businesses powered by CDK's software are suffering significant disruption.

For those who didn't catch it last week, CDK Global is a bigshot software slinger to nearly 15,000 car dealerships across the US. Its software can support customers with the management of sales, accounting, inventory, communications, and other back-office functions.

With all of those capabilities, you can imagine what happened when CDK was forced to pull some of its key systems offline (twice) last week in relation to what it's calling a "cyber incident."

The number of Form 8-Ks filed since Friday – that's two working days – now stands at four, a number likely to rise as the week goes on. The companies so far include:

• Group 1 Automotive

• Sonic Automotive

• Penske Automotive Group

• Lithia Motors

Remember, the SEC's Form 8-K is there to inform shareholders of significant events. In cybersecurity, we often associate them with filings alerting the world to data break-ins, but their remit is much broader.

Looking at the four forms, the commonality among them is that CDK's incident has forced affected customers to dust off their incident response playbooks and deploy various mitigation strategies to deal with the disruption.

• 'Mirai-like' botnet observed attacking EOL Zyxel NAS devices
• Levi's and more affected in pants-dropping week of data breaches
• Snowflake breach snowballs as more victims, perps, come forward
• Change Healthcare finally spills the tea on what medical data was stolen by cyber-crew

Some report resorting to pen-and-paper operations and that things are going fine. Others reported more substantial disruption to sales in North America, which would probably continue until the chaos at CDK is over with.

The timeline for recovery is up for debate, but various sources of information suggest the recovery will be sooner rather than later. However, not everyone is likely to agree with the means of getting there.

According to Group 1 Automotive's filing, CDK told customers that recovery will be a matter of days rather than weeks, which will doubtless be welcome news to those experiencing a greater degree of business disruption than others.

There are also reports from Bloomberg's moles that CDK is strongly considering paying a ransom, and that the group responsible for the attack is an Eastern European cybercrime gang. That ransom is rumored to be in the region of tens of millions of dollars – nothing more specific than that.

El Reg asked CDK about the veracity of these claims made in wider reports, and until we hear back from it on that, all we can go on is the last statement it sent over on June 20.

"Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems," said CDK spokesperson Lisa Finney.

"In partnership with third-party experts, we are assessing the impact and providing regular updates to our customers. We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible." ®