Outage from CDK cyberattacks could cost dealers $1 billion, study says | Greater Cincinnati Automobile Dealers Association

Outage from CDK cyberattacks could cost dealers $1 billion, study says

Anderson Economic Group said affected dealers could be out about $600 million after two weeks and could lose roughly $1 billion if the dealer management system shutdown lasts until the July 4 holiday weekend.

The ongoing dealership management system outages following cyberattacks on CDK Global could cost retailers nearly
$1 billion if it lasts until the July 4 holiday weekend, according to estimates from the Michigan-based Anderson Economic Group.

The firm, which previously estimated losses from events such as the 2023 UAW strike against the Detroit 3, said the incident could cost affected dealers roughly $600 million if it stretched till June 29. If systems don’t come back online until after June 30 as CDK has indicated and the crisis lasted till July 6, those losses could reach $944 million.

The group reached its estimated figures by calculating losses from categories including vehicle sales, growing floorplan interest and IT, staffing and administrative costs. The firm put the losses for impacted dealerships at $284 million for the first four days. If the outage lasts till June 29, it would cost an additional $321 million. Anderson said it would cost affected dealerships an additional $339 million if the shutdown went until July 6.

“This is a hammer blow for 15,000 dealers and it should be a wake-up call to the rest of the economy that they’re also vulnerable to these kinds of organized, state-supported hacking attacks and ransomware,” Patrick Anderson, CEO of the group, told Automotive News. “These dealers are having to take extraordinary efforts to keep their operations open and some share of the business they expected to do is going to be lost to them forever.”

The ransomware attacks on June 19 have upended sales and service transactions, delayed dealership acquisition closings and could significantly impact June new-vehicle sales. CDK said June 26 a small test group of dealerships is back on its DMS.

Anderson said the estimates are only for dealers directly impacted by the attacks and do not reflect losses for the entire industry because some customers may purchase a vehicle at unaffected stores. The loss estimates are cumulative and likely to be different at each store.

“The damages are going to vary widely,” Anderson said. “Some dealers won’t be affected at all. Some will run the month at a loss, and there’s some small fraction of dealers and independent repair shops that may get a bump in business because people who absolutely need to get their car fixed or need to buy a new vehicle come to them. It’s going to be all over the map.”

The group said the estimate did not include any ransom paid to hackers, future audits required, additional insurance or training dealers may be required to pay because of the incident. It also said it did not include any costs related to resolving legal disputes.

Should the incident be contained to three weeks, Anderson said they expect most customers will simply delay their purchase until July and will stick with the same dealer. If the problem lingers, he said the expected losses could grow.