I work at a dealership that has been affected by this CDK mess. We have been dead in the water for over a week. CDK was outdated when they did the install & has never worked correctly. Worst system to use ever.
CDK user here, I can also agree that CDK is horrible. Their customer support is horrible. The UI is horrible. Looks like it did when it was first released . I can’t believe the amount of dealership that’s still use it.
CDK Drive is an early 1990 terminal emulator, it was barely well made for 1990. Now there's hundreds of patches, modules, third parties connected to the same old terminal emulator, it is outdated, non secure and it required to be run by a full admin user. They seem to have paid the ransom, this shows the lack of backups, emergency plan and proper IT etiquette, mix this with the recent mass layoff and outsourcing of their technical team and you have the perfect storm. Right after the first attack, they closed their support center and they told the staff not to talk to any customer about whats going or they will be fired. They are very opaque about what's going on, like they are affraid of repercussion. Also, I wouldn't be surprised if they get attacked some more or if there is a mass leak of personal information in the near future. I am sorry, but from an IT perspective the forecast are bot looking very good.
You are spot on about what is a backup. I would be asking about the system environment and backup strategy. I backup my Oracle Database in a separate RMAN and then do a full backup of the virtual server. This gives you a second option for disaster recovery. Should the full system backup be corrupt or virus infected, I can reinstall everything then restore the database. These are not complex concepts any IT professional who doesn’t want to be fired should be making backups. Also any company concerned about data loss should be conducting an annual Disaster Recovery Scenario with the ISO or ISSO. This done correctly should have allowed them to identify issues before a disaster event.
Even a fraction of that effort would have protected them here. Those extra steps are great, but it seems like the failure was at the most basic levels. To the point that we have to ask... what DID they do? Was this all running on a laptop somewhere that people forgot about? Like... seriously, lol.
Car Dealerships in the US in particular don't take their computer systems as "important", expressly because of companies like CDK. US Law requires people purchase cars from a Dealership (and not from the manufacturers) and thus security is a secondary item because everything forces consumers to go to these unsecured businesses.
Right, good point, since the government doesn't allow a free market, there isn't much pressure on the monopolies to protect consumers. In reality, because they are mandated by the government against the will of the market and against the rights and needs of consumers, they really function as proxies or representatives of the government.
Yes, I agree was IT Manager for a dealership that several stores. Was told by some your not income producer. That is the thought process even with dealers
You don't hear any one talking about this, even though 15,000 dealerships are impacted. Thanks for posting this. Cloud software bought by a private equity company. What is wrong with that picture?
Private Equity isn't NECESSARILY bad in that case. It often is, but you definitely don't want publicly traded companies doing cloud either. You want companies that are focused on profits, which means servicing clients, rather than companies that are focused on manipulated Wall St. perception values for blind share holders that don't check in on the company. As someone who has worked in the private cloud space for over 25 years, being private has definitely allowed us to care about customers and making good products in ways that public companies struggle to be able (or allowed) to do. Sadly I don't work in this sector, so while I think we make amazing products, we don't have anything to offer in this space. That's a missed opportunity for sure! hahaha. I work primarily in finance, government security, medical care (both human and animal), entertainment and social media. So it's good for having insight, in that sense. So many private equity companies are garbage. But not all. Some, the ones you never hear about, hide behind the scenes working hard to make good products with deep business ownership involvement in ensuring that quality, customer care, employee care are top jobs, even over profits. Private equity has the right to override profits as the driving factor where publicly traded does not.
I have seen you talk about sabotage in this a many other cases/situations, while I do agree that is so bad that it may look like it, I think you understate the level of incompetence in general that rules over the IT field, most people that I have seen that is not directly in the IT security field contiously omits basic security practices like principle of least privilege or proper passwords or sending those passwords in plain in an email among many other obvious things
I have a very firm policy personally... I never credit stupidity. That feels good to do, it excuses many things. But in the real world, it's not plausible that all these IT folks AND their business managers didn't know better. And experience says that I've been in a million of these meetings in every region, every type of business, and company after company when presented good information still make bad decisions because it's easy / someone is getting kick backs / they don't want to embarrass previous bad decision makers who are now senior staff / don't care because it's investor money, etc. I've never encountered a situation like this where everyone involved didn't actually know better. And I know, for a fact, that CDK and many of their customers were in fact warned. For a long time. Which of course, you'd assume, but I know it is true (because I did the warning, in person, directly.) So there's little to no way to blame a lack of knowledge.
According to CDK, the system should be back up on June 30th. Smaller dealerships have already started to come back online. I am planning to buy your book because I believe your assessment of the situation is spot on. I want to transition from the auto industry into the cybersecurity field. This incident has shown me how unaware senior-level leadership is of potential cyber threats and how this lack of knowledge hampers serious investment into security. Explaining the potential fall out to people really opened my eyes into how out of touch people really are to what drives their world. Appreciate you putting out this information.
Car industry is definitely "behind" than IT sector when it comes to Privacy and security. This raises concerns for customers too I'm sure! Every time I get a service loaner there's previous users info in it. That info doesn't even need to be hacked. IT'S RIGHT THERE!!! lol DATA BREACH waiting to occur.
Once the hackers can get into EV computers, we're in real trouble. Those battery boxes sre going to become mobile bombs one day. The analog world was so much better than this.
yes, for 35 years! Well, first ten years I worked in IT as a grunt. I've been with the same consulting firm for the last 25 years. We do everything from full blown IT services (like providing complete IT teams for small companies), to augmentation (providing special skills or hard to find staff or complicated arrangements) for existing IT teams, to just doing advisement - like some clients just call us to spend time having someone to talk to about IT. For example, if CDK needed someone to bounce system design off of, they can call us and hire us to advise on software design, cloud deployment, security, backups, etc. We don't always do the work, sometimes we just provide that sounding board, second opinion, or outside of the box thinking.
That's plausible, and possible. But there's nothing concrete that suggests it. I mean, not having backups is ALWAYS an inside job. But assuming that they were getting paid off to avoid backups, while certainly possible, nothing leads us to that. Everything top to bottom was completely "anti-professional practices", this required lots of visibility not just internally, but to customers. If the issue was ONLY a lack of backups, that would be very suggestive. but that they did so many things publicly that SHOULD have led to them having zero customers, suggests that they weren't trying to hide the incompetence. They were just confident that they could make money anyway. And they were right.
I like the content of your video until you got into the realm of speculation and conspiracy. The only thing for sure is there was massive negligence by CDK Global and also a huge wake up call for the automotive industry about cyber security.
Speculation based on the logical course of events, yes. But no conspiracy. Conspiracy is when lots of parties work together to defraud someone. This would be just one entity working to do something illegal. That's not at all a conspiracy. Just like if your accountant steals from you by altering your books. It sucks, but they didn't conspire. They just took a clear action available to them.
![Summer Walker - Heart Of A Woman [Official Lyric Video]](http://i.ytimg.com/vi/SFddctbZzw8/mqdefault.jpg)
I work at a dealership that has been affected by this CDK mess. We have been dead in the water for over a week. CDK was outdated when they did the install & has never worked correctly. Worst system to use ever.
CDK user here, I can also agree that CDK is horrible. Their customer support is horrible. The UI is horrible. Looks like it did when it was first released . I can’t believe the amount of dealership that’s still use it.
Delta Air lines is seeking millions in damage$. This is a dirty diaper mess😮
CDK Drive is an early 1990 terminal emulator, it was barely well made for 1990. Now there's hundreds of patches, modules, third parties connected to the same old terminal emulator, it is outdated, non secure and it required to be run by a full admin user. They seem to have paid the ransom, this shows the lack of backups, emergency plan and proper IT etiquette, mix this with the recent mass layoff and outsourcing of their technical team and you have the perfect storm.
Right after the first attack, they closed their support center and they told the staff not to talk to any customer about whats going or they will be fired. They are very opaque about what's going on, like they are affraid of repercussion.
Also, I wouldn't be surprised if they get attacked some more or if there is a mass leak of personal information in the near future.
I am sorry, but from an IT perspective the forecast are bot looking very good.
Such a well thought out post. We outsource and put on the cloud. Companies only care about least cost.
I recall back in the days of Novell file servers; AS/400 and OS/2 the IT people could Not emphasize enough the importance of data d
Backups.
It's 2024 !!!!
You are spot on about what is a backup. I would be asking about the system environment and backup strategy. I backup my Oracle Database in a separate RMAN and then do a full backup of the virtual server. This gives you a second option for disaster recovery. Should the full system backup be corrupt or virus infected, I can reinstall everything then restore the database. These are not complex concepts any IT professional who doesn’t want to be fired should be making backups. Also any company concerned about data loss should be conducting an annual Disaster Recovery Scenario with the ISO or ISSO. This done correctly should have allowed them to identify issues before a disaster event.
Even a fraction of that effort would have protected them here. Those extra steps are great, but it seems like the failure was at the most basic levels. To the point that we have to ask... what DID they do? Was this all running on a laptop somewhere that people forgot about? Like... seriously, lol.
Car Dealerships in the US in particular don't take their computer systems as "important", expressly because of companies like CDK. US Law requires people purchase cars from a Dealership (and not from the manufacturers) and thus security is a secondary item because everything forces consumers to go to these unsecured businesses.
Right, good point, since the government doesn't allow a free market, there isn't much pressure on the monopolies to protect consumers. In reality, because they are mandated by the government against the will of the market and against the rights and needs of consumers, they really function as proxies or representatives of the government.
Yes, I agree was IT Manager for a dealership that several stores. Was told by some your not income producer. That is the thought process even with dealers
But, it's "THE CLOUD"
You don't hear any one talking about this, even though 15,000 dealerships are impacted. Thanks for posting this. Cloud software bought by a private equity company. What is wrong with that picture?
Private Equity isn't NECESSARILY bad in that case. It often is, but you definitely don't want publicly traded companies doing cloud either. You want companies that are focused on profits, which means servicing clients, rather than companies that are focused on manipulated Wall St. perception values for blind share holders that don't check in on the company. As someone who has worked in the private cloud space for over 25 years, being private has definitely allowed us to care about customers and making good products in ways that public companies struggle to be able (or allowed) to do. Sadly I don't work in this sector, so while I think we make amazing products, we don't have anything to offer in this space. That's a missed opportunity for sure! hahaha. I work primarily in finance, government security, medical care (both human and animal), entertainment and social media. So it's good for having insight, in that sense. So many private equity companies are garbage. But not all. Some, the ones you never hear about, hide behind the scenes working hard to make good products with deep business ownership involvement in ensuring that quality, customer care, employee care are top jobs, even over profits. Private equity has the right to override profits as the driving factor where publicly traded does not.
It’s still down at this time.
It's crazy. What's your current status? Are you back up?
I have seen you talk about sabotage in this a many other cases/situations, while I do agree that is so bad that it may look like it, I think you understate the level of incompetence in general that rules over the IT field, most people that I have seen that is not directly in the IT security field contiously omits basic security practices like principle of least privilege or proper passwords or sending those passwords in plain in an email among many other obvious things
I have a very firm policy personally... I never credit stupidity. That feels good to do, it excuses many things. But in the real world, it's not plausible that all these IT folks AND their business managers didn't know better. And experience says that I've been in a million of these meetings in every region, every type of business, and company after company when presented good information still make bad decisions because it's easy / someone is getting kick backs / they don't want to embarrass previous bad decision makers who are now senior staff / don't care because it's investor money, etc. I've never encountered a situation like this where everyone involved didn't actually know better. And I know, for a fact, that CDK and many of their customers were in fact warned. For a long time. Which of course, you'd assume, but I know it is true (because I did the warning, in person, directly.) So there's little to no way to blame a lack of knowledge.
Software as a service with 15k eggs in one basket. Enterprise client? No
According to CDK, the system should be back up on June 30th. Smaller dealerships have already started to come back online. I am planning to buy your book because I believe your assessment of the situation is spot on. I want to transition from the auto industry into the cybersecurity field. This incident has shown me how unaware senior-level leadership is of potential cyber threats and how this lack of knowledge hampers serious investment into security. Explaining the potential fall out to people really opened my eyes into how out of touch people really are to what drives their world. Appreciate you putting out this information.
Thank you!
No, according to CDK system should not exept to be back up before June 30th. It will take weeks to restore all customers.
CDK is back up with us.
Car industry is definitely "behind" than IT sector when it comes to Privacy and security. This raises concerns for customers too I'm sure! Every time I get a service loaner there's previous users info in it. That info doesn't even need to be hacked. IT'S RIGHT THERE!!! lol DATA BREACH waiting to occur.
Once the hackers can get into EV computers, we're in real trouble. Those battery boxes sre going to become mobile bombs one day. The analog world was so much better than this.
So true!
see UHC and MGM how this works.
by the way are you on crack? wow.
Do u really do IT services?
yes, for 35 years! Well, first ten years I worked in IT as a grunt. I've been with the same consulting firm for the last 25 years. We do everything from full blown IT services (like providing complete IT teams for small companies), to augmentation (providing special skills or hard to find staff or complicated arrangements) for existing IT teams, to just doing advisement - like some clients just call us to spend time having someone to talk to about IT. For example, if CDK needed someone to bounce system design off of, they can call us and hire us to advise on software design, cloud deployment, security, backups, etc. We don't always do the work, sometimes we just provide that sounding board, second opinion, or outside of the box thinking.
@@samit8178 did you do comptia or any of that certification or how did you start worked for a friend didn’t go well
Insiders
That's plausible, and possible. But there's nothing concrete that suggests it. I mean, not having backups is ALWAYS an inside job. But assuming that they were getting paid off to avoid backups, while certainly possible, nothing leads us to that. Everything top to bottom was completely "anti-professional practices", this required lots of visibility not just internally, but to customers. If the issue was ONLY a lack of backups, that would be very suggestive. but that they did so many things publicly that SHOULD have led to them having zero customers, suggests that they weren't trying to hide the incompetence. They were just confident that they could make money anyway. And they were right.
I like the content of your video until you got into the realm of speculation and conspiracy.
The only thing for sure is there was massive negligence by CDK Global and also a huge wake up call for the automotive industry about cyber security.
Speculation based on the logical course of events, yes. But no conspiracy. Conspiracy is when lots of parties work together to defraud someone. This would be just one entity working to do something illegal. That's not at all a conspiracy. Just like if your accountant steals from you by altering your books. It sucks, but they didn't conspire. They just took a clear action available to them.