CDK Global Cyberattack Auto Dealership Litigation
Case Overview
CDK Global provides dealer management system (DMS) software that is the operational backbone for an estimated 15,000 franchised auto dealerships across the United States. In mid-June 2024, a ransomware attack attributed to the BlackSuit cybercriminal group forced CDK to take its entire platform offline in two successive incidents within 24 hours. The outage lasted approximately 19 days and brought dealership operations — including vehicle sales, financing, service scheduling, and payroll — to a near-complete standstill. Reports indicated CDK paid a ransom of approximately $25 million to restore services. Consumer plaintiffs allege that their personally identifiable information (PII), including Social Security numbers, financial data, and driver's license information stored in the DMS, was exfiltrated during the attack.
Two distinct plaintiff classes have emerged: (1) auto dealerships and their owners seeking compensation for massive business interruption losses — industry estimates placed total economic harm to dealerships at over $1 billion — and (2) individual consumers whose PII was exposed. Plaintiffs allege CDK failed to implement adequate cybersecurity measures despite known vulnerabilities and prior warnings. The cases have been consolidated in the Northern District of Illinois, and CDK faces claims under negligence, breach of contract, and various state consumer protection statutes. The litigation is in early stages as of 2025, with class certification briefing ongoing.
Who May Qualify
Two potential classes: (1) U.S. automotive dealerships that used CDK Global's dealer management system and suffered business interruption losses during the June–July 2024 outage; and (2) individual consumers whose personal or financial information was stored in CDK's systems and was potentially exposed or stolen during the cyberattack.
Frequently Asked Questions
Was my personal information stolen in the CDK Global hack?
If you purchased or serviced a vehicle at a CDK-connected dealership and provided personal information such as your Social Security number, driver's license, or financial details, that data may have been exfiltrated. CDK has sent breach notification letters to affected individuals. Check your mail for a notice or contact your dealership directly.
Can car dealerships sue CDK Global for the 2024 outage?
Yes. Multiple class actions have been filed on behalf of dealerships seeking compensation for lost sales, business interruption, and operational costs incurred during the nearly three-week outage. Industry losses have been estimated at over $1 billion collectively.
How much is the CDK Global lawsuit worth?
No settlement has been reached as of 2025. Given the scale of the outage — affecting ~15,000 dealerships for nearly three weeks — and the volume of consumer PII potentially exposed, legal analysts estimate total liability could run into the hundreds of millions to over a billion dollars.