Programs & Services NJ CAR Video Library NJ CAR Hole-In-One Insurance NJ CAR Services Store Workforce Development Contact Us Members Portal

Latest News

Auto Retailers Dealing with CDK Cyber Attack

Jun 26, 2024

June 28, 2024

CDK Update: New Jersey and Federal Requirement Guidance

CDK announced that it brought up two small test groups of dealers live on the core DMS (accounting parts, service, sales F&I, user management and document management) earlier this week. The company also stated that there “are some integration points with OEM systems and third-party partners that may not be live immediately but will be phased in as quickly as possible” and that the company is actively working on bringing back CDK CRM, ONE-EIGHTY, and CDK Service—and they expect Customer Care to go live by late afternoon today (Friday, June 28th).

NADA continues to communicate with CDK, but company representatives have not confirmed whether any unauthorized parties acquired unencrypted customer information, nor did they provide any other details of the incident.

What Should Dealers Do?

New Jersey Requirements

Dealers should be aware of New Jersey requirements related to the CDK cyber incident.

The nature and extent of the data breach, and whether it triggered any State or federal notification requirements is unknown at this time. Once CDK provides dealers and the FTC details about the nature of the breach, affected dealers will want to consult with their attorneys to see whether notification is required under the New Jersey Identity Theft Prevention Act, N.J.S.A. 56:8-161 et seq. 

New Jersey businesses must disclose any breach of security of computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information (PI) was, or is reasonably believed to have been, accessed by an unauthorized person. Prior to disclosure to the customer, the business must report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.

The law defines Personal Information as an individual’s first name or first initial and last name linked with any one or more of the following data elements:

  1. Social Security number;
  2. Driver’s license number or state identification card number; or
  3. Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  4. Username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would access to an online account.

Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. Security Breach is defined as the unauthorized access to electronic files, media or data containing PI that compromises the security, confidentiality, or integrity of PI when access to the PI has not been secured by encryption or by any other method or technology that renders the PI unreadable or unusable.

The law is expansive and provides exceptions that must be analyzed by the dealership attorneys.  The very first step is to find out the nature of the breach including whether any customer data has been taken and whether the data was encrypted. Both federal and New Jersey law notification requirement hinges on whether the data that was breached is encrypted or unencrypted.

Federal Requirements

Dealers should also be aware that the FTC requires notification to the FTC (not to customers) of the acquisition of unencrypted customer information without authorization involving at least 500 consumers. This must occur “as soon as possible and no later than 30 days after discovery of the event.” While dealers should consult with their legal counsel regarding compliance with this requirement, NADA staff has been in communication with FTC staff about when notification must be provided to the FTC.

At this time, NADA believes that dealers do not need to provide such a notification imminently. NADA will provide further clarification as more information is known about this incident. As this could change, NADA has urged CDK to notify dealers promptly if it learns that such information has been compromised.

Separate and apart from the FTC breach notification requirement, every state has a breach-notification statute with its own set of requirements and deadlines, and dealers should consult their legal counsel about necessary steps to ensure compliance with state law. [NOTE- This was referenced above.]

Dealers should also review their compliance with the FTC Safeguards Rule (including the required written information security program) and be aware of recent amendments to the rule that require (among many other elements) encryption of customer information both in transit and at rest, and the establishment of a written incident response plan.

Details of the FTC Safeguards Rule can be found in NADA’s Safeguards Rule Driven Guide. Appendix A of the guide contains a draft incident response plan, which includes steps a dealership can take in the event of a security event. Steps include, but are not limited to, the following, and the guide contains significant detail under each heading:

  • Securing dealership operations. (p. 51)
  • Remediating weaknesses and fixing vulnerabilities. (p. 52)
  • Developing a comprehensive communications plan. (p. 53)
  • Notifying appropriate parties. (p. 54)

As a reminder, there are several resources to help dealers address data security and regulatory compliance, including:

June 21, 2024

Checklist For Dealerships To Follow Once Their CDK DMS Access Is Fully Restored

NJ CAR Associate Member, Withum, has put together a checklist for dealerships to follow once their CDK DMS access is fully restored.

The CDK cyber-attack continues to cause headaches for thousands of dealerships across the countryt. Relying solely on pen and paper, dealerships were forced to go back to a time void of technology by selling cars and doing service work without the help of their DMS.

As dealership operations begin to come back online, what can dealerships do to ensure that the events that have occurred during their DMS outage are documented in the system, the correct taxes are paid, sales and service work is correctly recorded, employee hours are allocated, and more?

Below is a checklist of some of the major things that dealerships should address, as well as some not-so-obvious items to look out for in order to minimize any prolonged issues related to the outage.

  • Contact your insurance provider and work with them to determine and calculate the amount your dealership can claim for the period of time of lost work and potential lost profit.
  • Dealerships need to dedicate time to overall reconnaissance before going back to business as usual. All departments need to help the accounting office gather the necessary information accumulated during this downtime to ensure it will be accurately entered into the system, or the dealership may face repercussions later.
  • Once CDK comes back online, everyone at the dealership should go into CDK setups to ensure that sales tax, their templates, and the mapping from the accounts to their financial statements are all correct, and that nothing got corrupted within their system.
  • Do not assume that this breach only impacted data collected when CDK was down. Dealerships need to compare their May 31st statements to their June 1st statements to ensure there are no discrepancies.
  • For any sales that did occur during this downtime, ensure that they were recorded accurately and that sales tax was calculated correctly. This will include reviewing all information from the manual sales to ensure all necessary accounting has been recorded.
  • For anything done within the service department during downtime, make sure that all flag times were captured, and that the technician time was recorded accurately.
  • Dealerships need to be strict about warranty submissions, because the factory will deny claims that are incorrect.
  • Audit your dealership’s cybersecurity measures. Ensure that you are using multi-factor authentication, not sharing passwords, not providing access rights to individuals who do not need them, and complying with FTC safeguards.
  • If your dealership closed for the period of time that your DMS was down, you will need to determine if employees will be paid as a courtesy or if they will need to utilize paid time off and work with HR to resolve any conflicts.

Please note that the CDK cyberattack reaches beyond your own DMS. CDK aligns and integrates with other services and platforms. Please be sure to remain on top of any system or software that integrates with CDK to ensure data accuracy and due diligence. NOTE: The Tekion platform is unaffected and operating normally. To ensure the security of its customers, Tekion has temporarily suspended all integrations and data feeds to CDK as a precautionary measure.

NJ CAR thanks Withum for this comprehensive checklist and encourages dealers to contact their accountants and other advisors for additional guidance and assistance in cleaning up any issues following the CDK outage.

 

June 21, 2024

While CDK System Remains Down, Contact NJ CAR Services For Required Forms

Due to the recent cyberattack that has halted the use of the CDK DMS, affected dealerships have been completing deals by hand and have requested PDF copies of required forms.

NJ CAR Services has been aiding dealerships, by sending packets of the necessary forms.

NJ CAR Services has long advised dealers to have emergency paper copies of forms on hand in order to continue processing deals, in the event of a service interruption such as the one CDK is currently experiencing.

Affected dealerships should reach out to NJ CAR Services to replenish their paper supplies and/or request a PDF packet of the critical dealership forms.

NJ CAR Services (and the entire NJ CAR team) stands ready to assist affected dealerships with these items and answer any questions you may have during this difficult time.

Please contact your NJ CAR Services Field Sales Representative:

 

June 21,2024

CDK Incident Sparks Phishing Scams
Plus Data Breach Reporting Refresher & Business Interruption Insurance

NJ CAR Partner ComplyAuto warns dealers about potential phishing scams being reported around the CDK incident.

PLEASE READ THE COMMUNICATION BELOW

  • Scammers Taking Advantage of CDK Incident– CDK customers should be aware of bad actors attempting to take advantage of the CDK incident, including via potential ‘bandwagon’ phishing attempts. Reports have emerged stating that bad actors are sending communications falsely claiming to be CDK employees that can help get dealerships back online. Dealer employees should be aware of these phishing attempts in order to protect the dealer’s accounts and systems from these secondary bandwagon attacks.
  • Data Breach Reporting Refresher– In this video ComplyAuto’s Brad Miller addresses questions received from numerous dealers about their potential obligations if it is determined that customer data has been breached. NOTE: As of the time of publication (on June 20, 2024), there is not currently any evidence that suggests consumer data was compromised as part of the CDK incident.

Dealer reporting obligations under state and federal law

  • Potential reporting under federal regulations
    • FTC recently amended the Safeguards Rule to include a requirement to report to the FTC any “notification event” (commonly referred to as a “breach”) involving 500 or more customers’ unencrypted data, as soon as possible, and no later than 30 days after discovery of the event.
    • Dealer must report the breach even if it happened at a vendor.
    • FTC reports are public information.
  • Potential reporting under state law
    • Definitions, timeframes, and reporting thresholds differ among the states.
    • State laws often require a dealer to provide customer notification, and a dealer may also have to notify a state agency.
  • Business Interruption Insurance Coverage
    • Dealers whose operations are impacted by the CDK systems being down might consider exploring whether they have business interruption coverage under any of their insurance policies that could provide relief for expenses and losses arising from the interruption in business resulting from the outage. Each insurance policy is different and historically business interruption coverage was associated with physical casualties (e.g., fire damage), but in recent years some cyber insurance policies have included business interruption coverage.

Contact ComplyAuto To Protect Your Dealership

 

June 20, 2024

NEXT STEPS ON HANDLING THE CONTINUED CDK INCIDENT

According to Automotive News, CDK Global reported that it sustained another cyberattack and has once again shut down its core dealership management system functionality.

Currently, the full extent of the attack is unknown. As of this writing, no estimated time of restoration has been communicated, in fact CDK has alerted dealers that it may take several days to get back up and running.

Your concerns include the protection of customer personal information in compliance with FTC Safeguards, and the New Jersey Data Breach Notification law, as well as the continuity of service. It is unlikely that at this early stage you have the information that you need to determine whether reporting the breach is required under both federal and New Jersey law.

Please keep in mind that from a federal law standpoint (FTC Safeguards Rule Notification requirement) and New Jersey Data Breach Notification law, the breach must involve unencrypted customer personal information and institution must notify the FTC as soon as possible but no later than 30 days after discovery of the event.

An initial first step is to determine whether customer personal information was compromised and whether it was unencrypted. If you have not already done so, contact your service representative at CDK if you can, look out for any official bulletins released by CDK via email, being sure to verify the identity of any sender or incoming calls from anyone claiming to be a CDK representative AND DO NOT give out ANY dealership financial information.

We would also caution against using these systems until CDK has confirmed they have been restored and are safe to use.

Attackers could use this as an opportunity to conduct a “supply chain” attack, further spreading the impact of access they may have gained within CDK’s systems, or taking advantage of auto dealers who may be desperate to restore operations and thus tempted to click on malicious links or open attachments.

IMPORTANT NOTE ABOUT DMS TEMP TAG ACCESS

The use of the NJ temp tag system through your CDK DMS is likely compromised. If so, you can access the NJMVC Temp Tag Portal. If you need to reset your password, the portal allows you to do so. There are also videos on the portal to reacquaint yourself with the portal.

 

June 20, 2024

ADVISORY ON CONTINUING CDK INCIDENT

Critical Cybersecurity Safety Reminders for Dealerships

ComplyAuto, NJ CAR’s endorsed compliance partner, provides the following information.

In light of recent CDK’s continued highly publicized cybersecurity incidents within the automotive industry, we want to remind you of critical steps all dealers should take to protect against potential threats posed by malicious actors.

While there is no way to be 100% immune from such attacks, there are some important tools you should be using.

As your trusted partner, we strongly recommend implementing available cybersecurity measures to safeguard your business, including the following:

  1. Endpoint Detection and Response (EDR)– EDR solutions act like a security camera to provide real-time monitoring, detection, and response capabilities to identify and mitigate potential security breaches on your dealership’s devices and networks.
  2. Penetration Testing– Regularly conducting penetration testing allows you to proactively identify vulnerabilities in your systems and networks before they can be exploited by bad actors. This practice helps strengthen your overall cybersecurity posture.
  3. Phishing Simulations– Phishing attacks remain one of the most common methods used by cybercriminals to gain unauthorized access to sensitive data. Conducting phishing simulations trains your employees to recognize and report suspicious emails, which reduces the risk of successful phishing attempts.
  4. Multi-Factor Authentication (MFA)– Implementing MFA adds an extra layer of security to your dealership’s user accounts. By requiring users to provide additional verification factors, (such as a smartphone app or hardware tokens) MFA significantly reduces the risk of unauthorized access, even if passwords are compromised.
  5. Vulnerability Scanning– Regular vulnerability scanning helps identify potential weaknesses in your dealership’s systems, applications, and networks. By proactively detecting vulnerabilities, you can prioritize and address them before they can be exploited by malicious actors.
  6. Service Provider Oversight– The Safeguards Rule (good practice) requires you to take certain specific actions with respect to your service providers’ contracts and cybersecurity tools to ensure that all your systems are enacting appropriate tools to protect your data.

Dealers should use these tools not only because it is required under federal law but, more importantly, to protect their systems and their data. Please remember that just using the tools is not enough; you should also take prompt steps to address any vulnerabilities that these tools may detect.

ComplyAuto offers a comprehensive suite of cybersecurity tools that specifically address these steps and more. ComplyAuto’s team of experts will walk you through this complicated landscape to properly leverage these tools so that you can significantly enhance your dealership’s cybersecurity defenses.

NJ CAR will continue to monitor these events. Please stay tuned for additional information as it develops.

 

June 19, 2024

ALERT- CDK Global cyberattack shuts down most dealership systems nationwide

Automotive News is reported that CDK Global has shut down most of its systems around the country as it attempts to assess and contain an early morning cyberattack that is impacting virtually every dealership in the U.S.

CDK, which serves nearly 15,000 dealerships across the country, sent the following communication early this morning:

“Critical Situation update – Dear Valued Customers, we are currently experiencing a cyber incident. Out of caution and concern for our customers, we have shut down a majority of our systems. We are currently assessing the overall impact and currently have no ETA. Please know our teams are working hard to get everything up and running and we will update as information is available. Sincerely, CDK Customer Care.”

All of the details regarding the cyber attack haven’t been released, but reports say CDK is actively addressing the incident and hopes to get everything up and running as quickly as possible.

According to cybersecurity services provider, Helion Technologies, “disabling computer and software systems is a dramatic, yet critical, step to contain and assess any cybersecurity related incident.

NJ CAR will continue monitoring the situation and will communicate any updates.

Quick Links

01 Find a Dealer 02 NJ CAR Services Store 03 NJ CAR NextGen 04 Advocacy

Contact Us

Ask us a question