The Breach CDK Global June 18 – June 19, 2024

[Audio] The Breach CDK Global June 18 – June 19, 2024 Amy Yip EdX Name: Aphreal / GitHub Name: Amy-6897 December 28, 2025.

[Audio] Introduction Company CDK Global, a subsidiary of Brookfield Business Partners, operates a large-scale, cloud-based dealership management system (DMS) that processes financial transactions for approximately 15,000 automotive dealerships across the United States and Canada. In June 2024, the organization suffered a ransomware intrusion targeting its production environment, resulting in widespread service disruption and a reported ransom demand of $25 million. Attackers The ransomware activity was attributed by investigators to the Russian-linked cybercriminal group BlackSuit. CDK Global was initially compromised on June 18, 2024, followed by a second intrusion on June 19, 2024 during the system recovery phase, which significantly complicated remediation efforts and extended service outages. The threat actors reportedly issued an initial ransom demand of approximately $10 million, later escalating the demand to $50 million. Public reporting estimates that CDK Global ultimately paid approximately $25 million in Bitcoin through global cryptocurrency exchanges to facilitate decryption and recovery...

[Audio] Overlooked Best Practices The initial breach is considered to come from phishing attacks which exploited multiple vulnerabilities within CDK’s systems. Once the hackers gained access through CDK’s “always on-VPN”, they were able to access their network and gained higher level permissions through CDK’s core Deal Management System (DMS). Lack of awareness Following the initial compromise on June 18, 2024, CDK Global commenced system recovery on June 19, 2024. The expedited remediation left residual vulnerabilities unmitigated, enabling threat actors to conduct a secondary intrusion. CDK Global’s infrastructure supports critical enterprise applications, including Customer Relationship Management (CRM), financial transaction processing, inventory management, and payroll systems. Notification to affected dealerships was delayed, forcing reliance on manual workflows due to incomplete and ambiguous communication from CDK Global’s cybersecurity and IT operations teams. The organization’s incident response indicated inadequate assessment of breach severity, resulting in a reactive posture that amplified operational downtime, exposed additional vulnerabilities, and caused reputational and financial impact..

[Audio] Cost Concerns and Business Impact The prolonged system outage experienced by CDK Global—lasting approximately two weeks—severely disrupted operations for an estimated 15,000 automotive dealerships across the United States and Canada. Reports indicate that up to $25 million may have been paid to threat actors, while the broader economic impact extended far beyond the immediate incident. The cumulative financial impact of the incident is estimated to have exceeded $1 billion in lost revenue across affected businesses during the outage period..

[Audio] Strategies to implement once Compromised Immediate Response Actions — CDK Global Case Analysis Isolate affected systems CDK Global proactively shut down its production environments after detecting the initial intrusion on June 18, 2024. While this action helped contain the ransomware, the lack of segmentation and phased isolation contributed to widespread service outages across dealerships. Disable DRM licenses, encryption keys, and compromised credentials CDK likely revoked credentials and access tokens during containment; however, the successful second intrusion on June 19 suggests incomplete credential invalidation or persistent access mechanisms that were not fully eliminated during the initial response. Activate the incident response protocol CDK activated its incident response process and engaged external cybersecurity experts and law enforcement. Improvement could have been made in faster escalation and tighter coordination across recovery teams to prevent reinfection. Preserve forensic evidence CDK maintained system shutdowns during investigation to support forensic analysis. However, limited public disclosure of technical indicators reduced customers’ ability to assess their own exposure..

[Audio] Containment, Recovery, and Communication — CDK Global Case Analysis Restore systems from clean backups CDK pursued phased restoration of services; however, the prolonged outage indicates challenges validating backup integrity and ensuring restored systems were free from persistence mechanisms. Verify system integrity before production re-entry The secondary compromise during recovery highlights the importance of deeper integrity validation, such as full environment rebuilds and stronger assurance testing prior to reactivation. Enhance security controls during recovery CDK reportedly strengthened monitoring and security post-incident, but earlier deployment of enhanced detection and network segmentation could have reduced recovery time. Notify customers, employees, and authorities CDK communicated outage information to dealerships and worked with law enforcement. However, many customers reported delayed or limited technical updates, indicating an opportunity for clearer and more frequent communications. Coordinate with legal and compliance teams CDK addressed regulatory and contractual obligations during recovery, though earlier alignment between legal, technical, and communications teams could have improved messaging consistency..

[Audio] Preventative Measures — Proactive Security Controls Security Testing & Risk Assessment Conduct regular security audits to assess compliance, system configurations, and control effectiveness Perform automated vulnerability scans to identify known weaknesses across infrastructure and applications Execute scheduled penetration testing to simulate real-world attack scenarios and validate defensive controls Employee Awareness & Access Control Deliver ongoing cybersecurity awareness training to reduce phishing and social engineering risks Enforce strong password management and secure data-handling policies across all user roles Conduct simulated phishing and ransomware exercises to evaluate employee readiness and response Require Multi-Factor Authentication (MFA) for all privileged and remote access Apply least-privilege principles to ensure users have only the access necessary to perform their roles Remove inactive, unnecessary, and legacy accounts to minimize the attack surface.

[Audio] Preventative Measures — Proactive Security Controls Backup, Recovery, and Infrastructure Protection Strengthen backup and disaster recovery plans to enable rapid system and data restoration Maintain secure, offline, or immutable backups to protect against ransomware and data destruction Regularly test backup restoration procedures to verify reliability and recovery time objectives (RTOs) Isolate backup systems from production environments to prevent unauthorized access or compromise Network & Data Protection Controls Deploy and maintain firewalls, intrusion prevention systems, and endpoint protection platforms Encrypt sensitive data both at rest and in transit using industry-standard cryptographic controls Implement network segmentation to restrict lateral movement and contain potential breaches.

[Audio] Conclusion In conclusion, the ransomware attack on CDK Global disrupted operations for thousands of automotive dealerships and impacted consumers across the United States and Canada. The prolonged outage resulted in service delays, customer frustration, and significant financial losses. This incident underscores the critical importance of cybersecurity and demonstrates that proactive security controls, effective incident response, and organizational resilience are essential to protecting business operations and maintaining trust in highly interconnected digital ecosystems.