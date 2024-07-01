A strike on the CDK Global data system, which paralyzed about half of U.S. car showrooms, could cost up to $16 billion in lost sales and chaos to business. It’s not the only industry in hackers’ crosshairs.

The ongoing ransom attack of a data services provider to around half of all U.S. car dealerships continues to inflict major disruptions throughout national automotive sales and repair networks. Some are still unable to get back online three weeks later. The devastating hack also offers a fresh reminder to entire sectors about the perils of relying too heavily on dominant but potentially vulnerable data system partners targeted by cyber criminals.

Though software company CDK Global has been working to bring the nearly 15,000 car dealerships it services back online since the June 19 start of the attack, that slog has now entered its third week–and may extend well into July. It has already made a major impact on the automotive sector’s typically strong summer sales period. According to an estimate by Motor Trend last week, total losses from the ransom hack “could be between $4 billion and $16 billion in sales and depress total retail sales in the U.S. by 2.3 percent.”

CBS News said the outage cost victimized dealerships about 100,000 lost car sales in June alone. That’s despite many owners and staff members reverting to pen-and-ink contracts and accounting entries to finalize as many purchases as possible while waiting to be re-connected to the CDK system. Many dealers still are–and continue scribbling. There are a few reasons this hack has such huge consequences.

For starters, CDK oversees virtually every aspect of most of its clients’ dealership operations. Those include sales, accounting, credit checks, orchestrating inventory, sending new ownership papers to DMVs, processing payrolls, and automatically organizing scheduling and supplies for maintenance and repairs.

Since the approximately 15,000 car showrooms affected by CDK’s computer network outage represent over 50 percent of all U.S. auto dealerships, the sheer scale of the disruption has thrown of a major U.S. industrial sector into chaos for weeks now, with the end not yet in sight. Perhaps just as troubling is that auto sector isn’t the only one in the nation with critical members being over-relying on a small number of essential IT service partners. As reported by the Wall Street Journal Saturday, “(a)irlines, banks, and healthcare providers all use a handful of niche software providers–many of which have been dominant for decades.”

A painful reminder of that arose last February, when hackers struck UnitedHealth Group’s Change Healthcare claims processing unit. That froze a huge portion of the roughly 44 percent of the nation’s health system funds that the company ushers between various actors each day.

Something similar could occur over an even wider range were criminals to strike just one of the three platforms that airlines rely on, or the trio of IT companies that serve 72 percent of the banking industry. The disruptions resulting from a ransom attack to any of those would be immediate, massive, and expensive. But as the Journal notes, there is no easy security fix to reduce that threat. The danger created by most major companies in a given sector entrusting the data and network management of their critical business functions to just one service provider is clear: It only takes one breach for the entire chain to be compromised.

But finindg new software partners to reduce the over-reliance risk isn’t an automatic solution. Those providers, too, could have vulnerablities that would expose network data if they were breached. It’s a bind, because the potential alternatives also multiply possible security risks. Meanwhile, cyber criminals find that taking systems hostage has become increasingly lucrative, generating a big increase in attempted attacks.

According to ZDNET, the Eastern European-based Blacksuit gang, which is thought to be responsible for the CDK attack, has issued over $275 million in ransom demands from corporate victims since late 2022 alone. Many companies reportedly paid those ransoms rather than lose even more to lost business, though what they got back was often less than expected. “There’s never been a story written on a company that successfully paid a ransom, and then quickly recovered their systems,” Eric Noonan, CEO of cybersecurity provider CyberSheath, told CNN last week. “Much of our critical infrastructure is way behind in terms of being prepared for recognizing cyber threats when they appear, but then more importantly, recovering from them.”