The CDK Hackers just proved you haven't learned a thing

It’s been nearly a year since the devastating CDK Global cyberattack brought operations at thousands of dealerships to a halt—and yet, here we are again. Same criminal group. Same playbook. Different victim. The CDK Hackers just proved you haven’t learned a thing.

In late April 2025, Branhaven Motors Inc., a Chrysler-Dodge-Jeep-Ram dealership in Branford, Connecticut, uncovered a chilling reality: they’d been breached by the same ransomware group—BLACK SUIT—that previously paralyzed CDK.

But here’s what makes this incident even more unsettling:

The attackers got in back in September. And no one noticed. For nearly eight months.

Initial access was gained in early September 2024.
Yet the dealership didn’t detect the breach until the end of April 2025.
Customers weren’t informed until late May.

By then, the damage was done. The criminals had stolen more than 50 GB of sensitive data—including Social Security numbers, driver’s license details, financial account info, and even health records—affecting nearly 12,000 individuals across several states.

That data wasn’t just exposed. It was weaponized. And now, Branhaven is facing a class-action lawsuit for failing to take reasonable steps to protect its customers.

So what went wrong?

Like many dealerships, Branhaven likely thought they were doing enough. Maybe they had an EDR tool. Maybe they rolled out MFA. Maybe they bought a compliance application. But cybersecurity isn’t about checking a few boxes or buying a few tools. It’s not a one-and-done project.

It’s an ongoing practice that requires constant attention, skilled resources, and the manpower to get things done.

Technology alone doesn’t keep you safe. Implementation matters. Management matters. Manpower matters. MFA doesn’t help if it’s not configured properly. And when your team misses signs of a breach for eight months? That’s not just a technical problem.

The FTC is sounding the alarm—again.

In response to growing risks across the dealership space, the FTC recently released an FAQ specifically for automobile dealers—a rare move that signals just how critical compliance with the Safeguards Rule has become.

The message is clear: If you finance or lease vehicles, you are considered a financial institution—and you must have a written, actively managed, continuously updated information security program.

You are required to implement and maintain a comprehensive information security program which includes:

Conduct risk assessments, vulnerability scans, and penetration tests
Prioritize and address the vulnerabilities that you discover – promptly
Apply software security patches
Remove or replace obsolete technology from your network
Implement technical safeguards like MFA and encryption
Train your staff
Monitor your network continuously
Create an incident response plan
Report data breaches to the FTC within 30 days

If you don’t have the internal staff or expertise to do this, you need outside help. The FTC won’t accept “we didn’t know” as an excuse. And your customers won’t either.

What’s the takeaway?

Cybersecurity is not optional. It’s not simple. And it’s not static.

Your dealership may not be able to prevent every single threat—but you can be prepared, proactive, and compliant. What happened to Branhaven Motors wasn’t just a data breach. It was a preventable crisis. One that left customer trust shattered and the dealership legally exposed.

The CDK hackers are still out there. They haven’t stopped. Have you?

Is your dealership actually protected? Or are you just hoping it is?

Let’s talk. We can help you evaluate your risks, align with the FTC Safeguards Rule, and build a security program that doesn’t just look good on paper—but actually works.

Because next time, it might be your dealership making headlines.