CDK Global Automotive Dealership Cyberattack Litigation
Case Overview
In June 2024, CDK Global — whose dealer management system (DMS) software is the operational backbone for roughly 15,000 car dealerships across the United States and Canada — suffered a devastating ransomware attack attributed to the BlackSuit cybercriminal group. The attack forced CDK to take its systems offline for nearly three weeks, bringing vehicle sales, financing, service scheduling, and payroll processing at thousands of dealerships to a near-complete halt. Industry analysts estimated the attack cost the automotive retail sector over $1 billion in lost revenue. Reports indicated CDK paid approximately $25 million in ransom to restore services, though the company has not publicly confirmed the payment.
Multiple class action lawsuits were filed in federal courts by both dealerships and consumers, alleging that CDK's failure to implement and maintain reasonable cybersecurity measures constituted negligence, breach of contract, and violation of state consumer protection laws. Consumer plaintiffs allege that their sensitive personal and financial information — including Social Security numbers, income data, and credit histories shared during vehicle financing — was exposed to criminals. Dealership plaintiffs seek compensation for lost profits, emergency IT costs, and reputational harm suffered during the extended outage. Cases have been consolidated in the Northern District of Illinois, and litigation is in early discovery phases.
Who May Qualify
Two potential plaintiff classes exist: (1) automobile dealerships that used CDK Global's dealer management software and suffered business losses or incurred costs due to the June 2024 outage; and (2) consumers who provided personal or financial information to a CDK-connected dealership and whose data may have been accessed during the cyberattack.
Frequently Asked Questions
How do I know if my personal data was exposed in the CDK Global hack?
If you purchased, financed, leased, or serviced a vehicle at a dealership using CDK Global's software prior to June 2024, your personal and financial data may have been at risk. Affected dealerships were required to notify customers whose information was compromised. Check for notification letters or contact the dealership directly.
Can car dealerships sue CDK Global for the losses caused by the outage?
Yes. Numerous dealerships have filed or joined class action lawsuits against CDK Global alleging negligence and breach of contract for failing to protect their systems and maintain service continuity. Dealerships that suffered documented financial losses during the June 2024 outage may be eligible to participate in these actions.