CDK Cyberattack Exposes Gaps in Cybersecurity Regulations

The ongoing CDK Global hack that took down car dealerships across the country, is the latest example of how a lack of comprehensive federal cybersecurity regulations is affecting how companies respond to ransomware attacks.

CDK, which provides software to car dealerships, was hit by a ransomware attack orchestrated by the BlackSuit group.

Dealerships across the country were left unable to manage daily operations, with sales operations heavily affected.

Adam Strange, Omdia's principal analyst for data security, told IoT World Today that CDK's case illustrates how companies are dealing with attacks without proper guidance from the federal level.

“In the U.S., there is no federal equivalent of the General Data Protection Regulation (GDPR). So the notion of a data breach, it just happens. In Europe, there are processes, regulations and fines. It's all a bit more mature,” Strange said. 

A small number of states have laws related to cybersecurity breaches. 

In California, for example, Civil Code section 1798.29 requires businesses to notify residents whose personal information was stolen in a cyberattack. Similar rules apply in Virginia. In Colorado, state law forces businesses to notify citizens and the office of the attorney general if the breach affects more than 500.

Related:Cyberattack Disrupts Car Dealership Operations Across the U.S.

The Omdia analyst said that by the end of 2026, half of U.S. states will have their own legislation in place covering data breaches, but warned it’s going to be a “nightmare” for businesses trying to navigate the disparate dos and don’ts across state lines.

“There is nobody with their foot on the data privacy jugular in the U.S., so ransomware or any kind of any attack is still relatively something to be to pretend it's not happening and when it does happen to you, then you must make every measure to make sure that you try and mitigate the public relations perspective of it and I think that this is perhaps what's happening here,” Strange said.

Strange suggested companies tend to be reluctant to admit breaches and that CDK’s claim to have its systems up and running in a few days is “ridiculous.”

"What companies tend to do is try to cover up as much of the problem as possible until they're absolutely forced to admit that they are subject to a ransomware attack or that they've been breached as a whole,” Strange said. “There's no way that [CDK] are going to get their systems up and running in that space of time."

The group that attacked CDK has conducted similar hacks on pharmaceutical companies and health care providers.

Related:Finance Industry Hit by 1 Million Cyberattacks in 120 Days, Blackberry Report

BlackSuit has no specific targets, with Strange suggesting CDK may have been unlucky.  The hackers likely exploited vulnerabilities due to inadequate defenses by CDK or another automotive supplier against such encrypting attacks. 

Strange said businesses need to not only set up defenses for operational environments but also for back-end options.

“I'm gonna go out on a limb and say that [CDK] don't have or haven't had a properly practiced and tested backup and restore strategy for when this sort of thing happens,” he said. “Because you don't know necessarily what that ransomware attack is or how can you get rid of that out of your system, you have got to be 100% clear that you have a clean source of data, with air gaps in your normal restore process whereby you can say that data over there has not been affected because it cannot physically be touched by my operational environment.”

Strange said in the absence of legislation to help them, businesses should consider building a strong backup plan, consisting of approaches toward strategies out to the market, informing customers and mitigation.

"You can never be 100% sure that you've got every eventuality taken care of,” Strange said. “There is broadly a lot more that people need to do to protect their data. And I'm afraid that [CDK] is just the latest evidence that people are not doing enough.”

Fernando Montenegro, Omdia’s senior principal analyst for cybersecurity, said ransomware incidents like in the case of CDK are increasing due to a mix of means (determined attackers with numerous methods at their disposal), motive (relatively straightforward paths to financial gain via ransom payments) and opportunity (increasingly complex environments with often overworked and under-supported IT and security teams).

“We need to look at these with a broader lens, similar to how we as a society have tackled safety for other mission-critical systems such as transportation, food supply and more,” Montenegro said. “There’s no silver-bullet answer and no single root cause for these. What this means is that prudent organizations of all sizes need to continue to develop and update their risk management programs to consider the prevalence of these incidents within their own processes.”