The dust is clearing a bit for auto body shops affected by the CDK Global cyberattack in mid-June, when hackers breached CDK’s online defenses, gaining access to its auto dealership client list and all its data, and demanded a cash bounty to leave the virtual battlefield. Media reports said CDK paid $25 million to hackers based overseas.
It took several weeks, not the few days originally envisioned, for the auto dealership software provider to come back online. From June 19 through July 5, at least some dealers were offline, including their parts departments, which sell wholesale OEM parts to local independent shops. The July 4th holiday, the busiest holiday of the year for collision centers, came and went.
Read how two California shops are taking control of their own cybersecurity.
Then the piles of pen-and-paper purchase orders could begin to be entered into electronic form.
Beau Bennett, owner of Kious Kountry Auto Collision Center Inc. in Waukon, IA, a body shop operator Autobody News spoke with in the days following the ransomware breach at CDK, is exercising patience.
Some suppliers he works with weren’t affected; others have “talked to people up the food chain, working [at the dealership level] to ensure this doesn’t happen again.” If it does, he says, “it’s going to be worse.”
Bennett’s been open 30 years, and he’s “very loyal to all my suppliers. A sales rep was here yesterday and said, ‘Your statements are coming, so be diligent’” in checking their accuracy.
Sticker Shock
Anderson Economic Group estimates dealerships’ losses at $1.02 billion, including new and used car sales, finance and insurance, and parts and service. It doesn’t tally buyer losses, dealer body shops or new costs for training, IT audits or cybersecurity, AEG Chief Executive Patrick Anderson told Autobody News.
Anderson said customer costs aren’t included because “it’s hard to put a dollar amount” on inconvenience. Some buyers simply went to other, unaffected dealers and bought cars anyway, or, as others have noted, returned to the same dealer in July.
There’s also no rule of thumb for downstream effects, such as those on outside body shops like Bennett’s and others. Parts purchases are part of the billion-dollar price tag, but AEG didn’t provide values for specific elements of the total.
“The biggest single amount is additional staffing,” Anderson said. “Dealers paid a lot for overtime and outside IT support, for less business.”
Pound of Prevention
Brad Miller is head of legal and regulatory affairs at ComplyAuto in Salt Lake City, UT. He spent 16 years with the National Automobile Dealers Association (NADA), most recently as chief regulatory counsel.
ComplyAuto sells compliance software and services to auto dealers and body shops, including cybersecurity and customer privacy rights tools, OSHA/safety compliance and materials focused on the high-reg California market.
Breaches like CDK's expose information, credit card data, social security numbers -- “anything personally identifiable,” Miller said.
“It’s scary how organized [hackers] have become,” he said. “Some of them have numbers that targets can call to make payments,” like any business.
And it doesn’t cost them more to attack smaller entities -- which they’re doing more often as the big guys have already been hit, and are putting millions of dollars into stopping attacks.
“They spray it [malware] out as much as they can and pick the low-hanging fruit,” he says. Among ComplyAuto’s thousands of clients, “We work with a lot of small businesses.”
As body shops look to buffer and buttress their operations -- servers, websites, email, phone systems -- IT companies like ComplyAuto are looking to help. Miller’s work is national, and the company is large, but its entry-level offerings run about $250 a month. Regional IT providers are also out there such as, for instance, Micro Tech Resources and Eyonic Systems Inc. in Pleasanton and Vacaville, CA, respectively.
Security used to be peripheral to operations, Miller noted, and everything was at the dealership or body shop.
“Now it’s its own system, and not just peripheral; everything else is peripheral to it,” and it’s all on the cloud.
This means it’s more complex and potentially less safe because outsiders have access to data that’s outside the shop.
Cybersecurity “is becoming a core competency” and here’s a wrinkle for body shops: connectivity in cars. “There’s data in the vehicle, too.”
“If you’re connected to the internet, you’re exposed. If you’re exposed, you could be liable," Miller said.
Storm Warnings
Individual shops are on the hunt for what to do next. Robert Molina’s Collision Care Xpress near Fort Lauderdale, FL, said CDK helped “everyone see how important parts are, the whole dynamic of parts and procurement; they brought everybody to a standstill.”
Well, not everybody.
His shop -- 100,000 square feet, 60 workers, repairing 200 to 300 cars a month -- was largely unaffected, in part by the very counsel he offers to the industry: buying direct.
Molina’s work focuses on Tesla, Rivian and Lucid, so that’s where he gets his parts. He also buys direct from BMW and Porsche.
Mass-market nameplates at his shop, “the Fords, Chevys, Toyota … definitely got hurt,” he said, “and we’re asking our vendors, do they have a Plan B, a Plan C” for preventing a future disruption.
They do.
“They’re setting up direct invoicing with manufacturers,” opening new buying portals, bypassing the single-provider model.
“Humans always go back to basics,” he adds. “We go back to what works.”
John Melendez in Thornton, IL, muscled through the CDK breach in June. Weeks later, his shop, JDM Collision, lost power in a more act-of-God way when a storm hit the Chicagoland area.
He said shops can do something about an event like the first one.
In fact, they can do three things:
1. Copy customers on all job correspondence. “All estimates, photos and communication,” Melendez said. If it goes to the insurance company or the supplier, it goes to the owner.
Why shouldn’t vehicle owners see all material? Full communication is just good business, and “if you always copy them, you can reacquire the information” if it’s lost or threatened, Melendez said.
2. Open a single-user account with the estimating provider, so the body shop isn’t crippled by a breach. “Not disrespecting the vendor, but don’t let it affect your business," Melendez said. The "single user" move echoes Molina’s advice: buy direct and develop multiple, independent routes to the same destination.
3. “Worst case, hire an outside source, pass the cost to the insurance company or the consumer,” Melendez said. “Go back to the fax machine,” if needed. “Always move forward.”
Do whatever it takes, whatever that means, whatever third party you need, to keep the parts flowing and the work going. That’s the point of the plan, Melendez said: Never stop.
If Melendez has a parts supplier in Chicagoland using CDK, when there’s a breach, he’s going to call the guy in Northwest Indiana: “They’re running Reynolds and Reynolds.”
It’s “business-smart and cost-effective,” he said. “Don’t inconvenience the customer any more than the collision itself.”
You Set for Insurance?
Melendez's 13,000-square-foot shop has 12 employees, certifications and I-CAR, a focus on GM and Nissan, a strong customer base and no DRPs.
It does not have cyber-insurance.
“The cost of doing business continues to go up,” he said, “and I have to ask, ‘Am I going to be able to recoup that?’ and the answer is no.”
Meanwhile, Molina encourages cyber-insurance, which he has. Even though a typical policy “only kicks in after 30 days” of disruption, it’s worth it, on the same principle for carrying other kinds of insurance.
“Cyber-hacking is real and could at the very least damage your reputation,” he wrote to Autobody News in an email. “Worst case, you close your doors for good, if the financial impact lasts several months.”
California IT consultant Roberto Baires of Micro Tech Resources, one of the regional companies mentioned above, said, also via email, cyber-insurance is “becoming as needed as fire insurance. We’re strongly recommending it to all our customers.”
In general, body shop operators say cyber-insurance policies are growing in the industry in an organic, common way: by being required. Manufacturers offering OEM certification are adding cyber-insurance to the cert process.
Couple that with insurers requiring Melendez's and Molina’s multiple buying routes, and some necessary changes will come by stipulation: you want OEM, get insurance; you want insurance, buy direct.
Big Computer
Consultants and operators alike brag on the benefits of finding the best ways to do what’s needed: strengthen internal protection and prevent the one-way-in model of a single provider.
“If your car has a dent, you take it to a professional,” Baires said. And do so in advance. “You don’t want to start shopping around after a problem.”
Also remember: “The cloud is just a big computer,” and you can get into those.
Miller’s to-do list includes blocking spam, multifactor authentication and encryption; continuously monitoring electronic activity; knowing and being able to disclose data you’re collecting; reliable cybersecurity vendors; and system redundancies in case something fails.
“Even a standalone computer sitting in the corner all day, so you can still open your doors and work on vehicles. If you’re not thinking about data security and privacy, you ought to be,” Miller said.
The CDK breach, though technically and technologically resolved, is still fresh and in real ways not over.
CDK Global CEO Brian MacDonald has told dealers the company would compensate them in some way.
Dealers have tens of thousands of handwritten orders to make into invoices, which then need to become account statements.
Public companies will be giving an account to shareholders and for federal regulatory filings. And there are still the myriad questions of what to do next.
Auto dealers are still smack in the middle of working all this out and dealing with fallout from the event itself -- so much so that none are discussing it publicly.
Autobody News' attempts to reach large dealer groups across many states, and a parts supplier in the Midwest, were unsuccessful. The California New Car Dealers Association declined comment.
Paul Hughes