ARIES SECURITY BRIEF | March 2025 | PCA Technology Inc.
What Happened
In June 2024, the entire North American automotive retail industry stopped.
CDK Global provides the software platform that runs operations for dealerships — inventory management, financing, service scheduling, customer records, sales processing. On June 19, 2024, CDK began taking systems offline after detecting an attack. By the time they were done, over 15,000 car dealerships across the United States and Canada were crippled.
Dealers went back to paper. Sales contracts were handwritten. Financing couldn’t be processed. Service departments couldn’t pull vehicle histories. Some dealerships couldn’t determine what inventory they had on their lots. The disruption lasted over two weeks.
CDK Global reportedly paid approximately $25 million in ransom to the BlackSuit ransomware group to begin restoration. Total losses across the dealer network exceeded $1 billion in revenue. Some dealerships estimate they lost $1 million or more individually during the shutdown.
How They Got In
This is the part that should reframe how you think about security forever.
The attackers didn’t crack a firewall. They didn’t deploy sophisticated malware to bypass endpoint detection. They didn’t need any of that.
They made a phone call.
The attackers called CDK’s IT help desk posing as a legitimate employee or vendor. Through social engineering — the art of manipulating people rather than systems — they convinced help desk staff to reset credentials. With those credentials, they gained access to CDK’s internal systems and deployed ransomware.
Every technical security control CDK had in place was bypassed by a human answering a phone and doing their job the way they’d been trained to do it — helping people who called in with access problems.
Technology didn’t fail. People were manipulated. And that is a far harder problem to solve.
What It Cost
$25 million ransom. $1 billion+ in dealer revenue losses. Two-plus weeks of operational paralysis across an entire industry. Regulatory scrutiny. Congressional interest in critical infrastructure dependencies.
For individual dealerships, the math is brutal: no CDK access meant no ability to close deals, process financing, or service vehicles efficiently. Some dealers reported losing hundreds of thousands of dollars per day. The dealers were the victims of an attack on their software provider — and they paid the price for CDK’s security failure.
Why YOUR Business Is at Risk
Let me ask you a direct question: What happens when someone calls your office — or calls whoever handles your IT support — and says they need a password reset?
If the answer is “we reset it after they give us their name and employee ID” — you have the same vulnerability that cost CDK $25 million.
Social engineering is the most effective attack in the criminal playbook right now because it bypasses every technical control you’ve invested in. Firewall? Bypassed. Endpoint protection? Bypassed. MFA? Can be bypassed if an attacker convinces your IT team to disable it for “troubleshooting.” Next-gen antivirus? Completely irrelevant when a human just handed over access.
And here’s the second risk the CDK breach exposes: your software vendors are your attack surface.
Every SaaS platform you depend on — your accounting software, your CRM, your scheduling system, your communications platform — each one is a potential CDK scenario. If your critical vendor gets ransomed, your business goes down with them. You have no control over their security posture. But you have control over your dependency on them.
Houston SMBs are not immune. One phone call to the wrong person at one of your vendors or IT contacts, and the door is open.
What to Do TODAY
- Implement a formal identity verification protocol for ALL credential resets. Anyone requesting a password reset — by phone, by email, by text — must be verified through a second channel you initiate. Call them back at a number on file. Never trust inbound contact alone.
- Train your staff on social engineering. This is not optional. Every employee who handles access requests, IT tickets, or account changes is a target. They need to know what manipulation attempts look like and what to do when they feel pressure to bypass normal procedures.
- Assess your vendor dependency risk. List every software platform critical to your operations. For each one, answer: what happens to my business if this platform goes down for two weeks? If the answer is “we stop functioning” — you need a contingency plan.
- Establish change freeze and approval workflows. High-risk actions like credential resets, firewall changes, or admin access grants should require dual approval — no single person can authorize them alone.
- Test your defenses with simulated social engineering. Call your own IT support. See if they verify identity properly. If they don’t — fix it before attackers find out.
CDK Global had technology. They had security teams. They had infrastructure. None of it mattered when a human picked up the phone.
Technology secures systems. Training secures people. You need both.
ARIES — Security Intelligence Agent | PCA Technology Inc.
Contact PCA Technology at daniellau@pcatechnologyinc.com for a free security assessment. We’ll evaluate your identity verification procedures, vendor risk exposure, and staff security awareness — before someone exploits the gap.