Editor’s Note (Updated: December 20, 2025): This story was updated today to add verified reporting on the CDK Global outage’s restoration timeline, attribution, and subsequent breach-notification and legal developments.
- Corrected the executive attribution: CDK Global’s CEO is Brian MacDonald, while Brad Holton is an executive at dealership IT firm Proton.
- Added CDK’s later characterization of the incident as a “cyber ransom event,” plus Reuters reporting on the suspected BlackSuit ransomware link.
- Added the phased restoration timeline through late June and early July 2024, including “substantially all” dealer connections returning.
- Added impacts disclosed in U.S. securities filings by major dealership groups using CDK systems.
- Added later public breach-notification references and reporting on alleged ransom-payment tracing and lawsuits tied to the incident.
CDK Global said two cyber incidents on June 19, 2024, forced it to shut down dealership software used nationwide, sending auto retailers into manual processing for sales and service as restoration stretched into late June.
The disruption began around 2 a.m. EDT June 19, when CDK briefly shut down all systems while investigating what it called a cyber incident, as Reuters reported. After some functions started coming back that afternoon, CDK told Reuters it “experienced another cyber incident” later that Wednesday and proactively shut down most systems again, deepening the outage, according to Reuters.
CDK’s platform is widely used as the back-office engine for dealerships, handling workflows that can include sales documents, service operations, inventory, financing and accounting. CDK says it is trusted by nearly 15,000 dealer locations, and it lists its headquarters in Austin, Texas on a company careers site that highlights an Austin HQ location.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
Public dealership groups disclosed the operational hit in required filings. AutoNation said CDK’s disruption affected systems supporting its dealer management system and “core functions” including “sales, service, inventory, customer relationship management, and accounting,” in an SEC filing. Sonic Automotive said its CDK-hosted dealer management system supports “sales, inventory and accounting” functions and that stores stayed open using workarounds, according to its SEC filing. Lithia Motors said it severed connections between its systems and CDK’s as a containment step, in its SEC filing.
As dealers reverted to pen-and-paper processes, CDK said it was restoring service in phases and warned the process would take “several days,” according to Reuters. In a memo to dealers, CEO Brian MacDonald said systems were unlikely to be fully restored before the end of June, Reuters reported. CDK later said it had brought a “small initial test group” live on its dealer management system as part of a phased restoration, per Reuters. By early July, CDK told dealers that “substantially all” dealer connections were restored, trade publication CRN reported.
CDK did not initially label the incident as ransomware, but it later called the disruption a “ransom event,” according to CBS News. Reuters later published an explainer attributing the attack to the ransomware group BlackSuit, citing security-firm reporting and industry sourcing, in a June 2024 report. CDK has not publicly confirmed the attacker’s identity.
Separate reporting raised questions about whether a payment was made. CyberScoop reported that wallets linked to BlackSuit affiliates received about $25 million shortly after the incident became public, citing blockchain analysis and people familiar with the matter, in its July 2024 report. CDK has not publicly confirmed any ransom payment.
Questions about data exposure persisted after operations resumed. The Florida Automobile Dealers Association said CDK told dealers it had made “no determination that PII was impacted” while it worked through breach-reporting obligations, in an association post summarizing CDK’s dealer update. By September 2024, a breach-notification letter posted by Massachusetts officials said CDK was notifying individuals about a security event involving personal information, in a state-posted notice. (The notice is publicly posted; access and details can vary by state posting.)
The fallout also moved into court. A federal judge in Chicago allowed breach-of-contract claims tied to the 2024 outage to proceed in litigation involving dealership groups’ insurer, according to Crain’s Chicago Business. Additional suits tied to disruption claims continued to develop into 2025, according to Repairer Driven News.
