CDK Global Named in Multiple Lawsuits Following Ransomware Attack

Date:

July 17, 2024

World map

CDK Global faces multiple lawsuits from auto dealerships after cyberattacks crippled its dealer management system, exposing sensitive customer data.  

At least eight suits have been filed, including a proposed class action by Omar Aviles, an employee of Asbury Automotive Group. The lawsuits allege CDK failed to adequately protect customer data, exposing tens of thousands of individuals' personal information, including Social Security numbers and financial details.

The complaints argue CDK's cybersecurity measures were insufficient despite its claims of robust protection on its website. Plaintiffs, including several dealerships and consumers, seek damages and demand better data protection from CDK.  

The lawsuits highlight that CDK’s inadequate employee training on cybersecurity contributed to the breaches. Aviles and others claim the data exposure has caused significant stress and anxiety.

Dealers report severe business disruptions, unable to process sales, finance deals, or manage transactions due to cyberattacks. The suits also criticize CDK’s rushed system restorations, which led to repeated breaches.  

The plaintiffs compare this to improper medical treatment, leading to prolonged harm. CDK has yet to comment on the lawsuits or potential compensation for affected dealerships.

Takeaway: The surge in class action lawsuits linked to ransomware attacks involving data exfiltration has been dramatic over the past two years. This increased legal activity is putting substantial pressure on C-suite executives and Boards of Directors.  

Even organizations that have robust response and recovery plans are not immune, as the theft or exposure of sensitive data inherently escalates their liability risks.

Organizations must be acutely aware of the array of risks posed by ransomware attacks which extend beyond immediate financial and operational disruptions to include significant threats to sensitive data and intellectual property.  

The growing trend among ransomware operators to threaten the publication or sale of stolen data if ransoms are not paid introduces severe repercussions, such as regulatory fines, legal liabilities, and long-term damage to a company's brand and customer trust.

Ransomware attacks today involve more than just the delivery of malicious code. Data exfiltration is now a central component, with some groups even abandoning the encryption element to focus solely on stealing data and extorting victims.  

This shift has made ransomware attacks a significant legal and regulatory concern. Depending on the industry and location, data protection laws may mandate prompt reporting of breaches, with severe penalties for non-compliance.

Current regulations aim to protect sensitive personal information, yet they often fail to shield organizations from relentless ransomware attacks. Instead, these regulations can exacerbate the situation for the victims.  

The increasing legal and regulatory scrutiny is now extending to company executives and Boards of Directors, signaling a shift towards accountability at the highest levels.  

The aftermath of serious security incidents no longer ends with everyone going home; it now includes potential class action lawsuits, regulatory actions, criminal prosecutions, and even jail time for leadership, especially when sensitive or regulated data is compromised.

Notable cases, such as the legal actions against the former Chief Information Security Officer (CISO) of Uber and the recent cases involving SolarWinds and their CISO, highlight the escalating liability for those responsible for security decisions.  

This trend underscores the harsh reality that while the government can offer guidelines and frameworks to prevent ransomware attacks, its regulatory response post-attack often revictimizes the affected organizations.

Cybersecurity experts understand that a determined attacker with sufficient time and resources can eventually breach any target. This reality means that organizations handling sensitive data are likely to face regulatory and potentially criminal jeopardy when they are attacked.  

For instance, the new Securities and Exchange Commission (SEC) reporting rule, effective December, requires publicly traded companies to disclose a "material" security event within four days, subjecting them to regulatory actions.  

Given the complexity and time-consuming nature of forensic investigations, this rule risks forcing premature disclosures with incomplete details. In contrast, the Office for Civil Rights (OCR) offers a 60-day window for disclosure, which is more realistic.  

Nonetheless, these regulatory requirements place executives in a precarious position, where their knowledge and actions before, during, and after a security event can result in legal or regulatory consequences.  

This punitive environment could discourage CISOs and security teams from being transparent with C-level executives and Boards of Directors during security events, potentially undermining overall security operations.

The culmination of these factors means that organizations already struggling to defend against ransomware and data extortion now face the additional threat of being re-victimized by a stringent legal and regulatory landscape.

This complex situation demands a balanced approach, where organizations must not only enhance their cybersecurity measures but also navigate the challenging regulatory terrain to mitigate the risks of further victimization.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.