Threat Intelligence & Incident Response
Compliance is one thing; the attack that stops a dealership is another. Ransomware on the DMS, F&I identity data, and vendor outages like the 2024 CDK attack are the real exposure. What actually hits dealers, and how to be ready.
For a car dealership, the cyberattack that actually stops business isn't an abstract "data breach" — it's ransomware that takes down the dealer management system (DMS) the entire store runs on. Sales, service, parts, financing — all of it flows through that platform, and when it goes dark, the dealership effectively can't operate. The 2024 CDK Global attack made the point at industry scale: a ransomware incident at a single DMS vendor disrupted operations at roughly 15,000 North American dealerships for about two weeks, with dealership losses estimated at $1.02 billion (Anderson Economic Group).
This is the threat companion to the regulatory picture. If you want the compliance side — why the FTC Safeguards Rule treats dealers as financial institutions — start with Do Auto Dealers Have to Comply With the FTC Safeguards Rule?. This guide is about the attacks themselves.
A dealership carries two distinct cyber risks, and they need different defenses:
The most important takeaway from 2024 is that a dealership's attack surface includes its vendors. The dealers caught in the CDK outage mostly hadn't been breached themselves — their critical platform had. For an industry where one or two vendors run the core of the business, that concentration is a genuine exposure.
That doesn't mean abandoning your DMS. It means two things at once: harden your own environment so you aren't the entry point, and have a written plan to keep selling and servicing when a critical vendor is down. The dealers who recovered fastest from CDK were the ones who could fall back to a manual process without losing the week.
Mapped to the two exposures:
These are the same controls a cyber-insurance questionnaire scores — and given the F&I data you hold, the same controls the FTC Safeguards Rule already expects.
Start with the two questions that decide how bad an incident gets: would ransomware on your own network spread unchecked, and could you operate if the DMS went down tomorrow? The Cyber Insurance Readiness Sprint maps your dealership against both — the controls that contain an attack and the continuity gaps that turn it into a closed store — in a fixed-scope, seven-business-day engagement. See the Auto Dealerships security page for how the program runs in a store.
Compliance and attacks point at the same place: the DMS that runs the store and the F&I data that funds identity theft. The 2024 CDK outage proved the downtime case at scale and proved that your vendors are part of your risk. Put managed detection on every endpoint, MFA on the DMS and email, keep tested backups, and write down how you operate when a critical vendor is dark. An attack — yours or theirs — should cost you an afternoon, not a week.
Want to know how your dealership would weather a DMS outage? Book a dealership security assessment.
Last updated
June 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Downtime on the dealer management system (DMS) the whole store runs on, and theft of the identity data in the F&I office. The 2024 CDK Global attack showed how bad the downtime case gets: a ransomware incident at a single DMS vendor knocked out operations at roughly 15,000 North American dealerships for about two weeks. The attack doesn't have to hit your store directly to stop your store.
No — it means the opposite. The CDK incident was a reminder that a dealership's risk includes its vendors, not just its own network. You need both: your own defenses (managed detection, MFA, tested backups) and a plan to keep operating when a critical vendor goes down. Vendor concentration is a real exposure for dealers because so much runs through one or two platforms.
A dealership's F&I (finance and insurance) office collects exactly what identity thieves want: Social Security numbers, driver's licenses, dates of birth, and full credit applications. That's also why the FTC Safeguards Rule treats dealers as financial institutions with formal security obligations — covered in our compliance guide. The threat and the regulation point at the same data.
Managed detection and response on every endpoint and server, MFA on every account (especially the DMS and email), immutable and tested backups, and a written continuity plan for operating when the DMS or another critical vendor is down. The goal is that an attack — yours or a vendor's — is a disruption you recover from, not an existential event.
Related reading
Most dealerships that arrange financing are 'financial institutions' under the FTC Safeguards Rule — which means a specific, named cybersecurity program is required by regulation. Here's what's on the list and how to satisfy it.
Read articleFor a small manufacturer, the expensive cyberattack isn't data theft — it's the ransomware that stops the line. Manufacturing is the most-attacked industry, and downtime is the real loss. The exposure and the fix.
Read articleContracting services were the second-most-reported non-critical sector in the FBI's 2025 ransomware data. The two exposures that actually hurt a construction firm — project downtime and progress-payment wire fraud — and how to close them.
Read article