A dealership in Phoenix is handwriting paper contracts and gauging creditworthiness with guesswork. A Jeep owner in Alabama keeps calling about when a replacement part will be in stock. A family in New Jersey is waiting for word on when they can take delivery of their new Audi.
Such is life for auto retailers and their customers across the U.S. and Canada after CDK Global — a software provider to some 15,000 dealers — was waylaid by debilitating cyberattacks. The barrage began June 19, costing U.S. dealers a burst of business on a federal holiday. CDK has warned that a second incident Thursday is likely to keep its systems down for several more days.
The attacks have had a crippling effect on an industry that topped $1.2 trillion in sales last year just in the U.S. CDK’s core product — a suite of software tools referred to as a dealership management system, or DMS — underpins virtually every element of auto retailers’ day-to-day business.
There are only a handful of DMS providers for dealers to choose from after decades of consolidation. That’s left thousands of retailers highly reliant on each of the select few software companies that enable them to line up financing and insurance, manage vehicle and parts inventory, and complete sales and repairs.
CDK’s parent, Brookfield Business Partners LP, had its worst trading day since October, plunging 5.7% on Thursday. Stock in dealer group AutoNation Inc. fell 3.6%, their biggest drop in two months. Group 1 Automotive Inc., Sonic Automotive Inc. and Lithia Motors Inc. shares also slumped.
For Joshua Adams, the Jeep owner in Millbrook, Alabama, CDK’s outage comes at an inopportune time. He’d already gone weeks without his 2020 Renegade sport utility vehicle as he waited for a warranty claim to be sorted out.
This week, he called his dealership to check if the final part needed to fix his vehicle had arrived, as expected. The service center was unsure, saying it was impossible to know because of the hack.
“They can’t tell me where my part is or when it will arrive,” Adams said. “We are just up in the air.” He expects the delay will cost several hundred dollars in additional expenses for a rental car he’s driving in the meantime.
In New Jersey, the Lanni family was excited to take delivery of a new Audi Q5. Daniel Lanni and his wife had removed the child seats from their old vehicle so they’d be ready for plopping into the new SUV. But on June 19, their dealer called to say the store’s computer system was down, and it wasn’t clear when they’d be able to take delivery.
Lanni and his wife re-installed the car seats for their children – ages 3, 5 and 8 – and said they hadn’t heard more from the dealer as of Thursday afternoon.
“The kids were really excited,” said Lanni, a 41-year-old commercial real estate broker. “They’re upset and now they’re just regularly asking about it.”
Alex Padron, a sales manager at a Nissan dealership in Phoenix, said that business was “almost at a standstill” on Thursday. Everyone who’s purchased a vehicle from the store since 2014 — when it began using CDK’s software — has data stored in the system, he said.
“It’s probably more than 50,000” customers, he said.
The dealership is now handwriting paper contracts and finding novel ways to get deals done. He said workers in the finance department have had to “guess” customers’ creditworthiness based on “whatever information they can gather.”
Since the attack began, the dealership has been able to process about half the transactions it usually can. Anything complicated — say, a purchase involving a trade-in or unusual financing — simply can’t get done.
“For this store, I’d like to have 10 complete deals done a day,” Padron said. “Five, six, seven would be nice today.”