The shock of the 2024 CDK ransomware attack may be fading, but its impact is still shaping dealership cybersecurity. Frozen titles, dead sales systems, handwritten forms, and millions in lost revenue reminded everyone just how dependent dealerships are on their DMS—and how quickly operations collapse when cybercriminals find a way in.
In a recent discussion hosted by Truist Dealer Commercial Services, Helion founder Erik Nachbahr and Black Breach CEO Justin Shanken broke down where dealers stand today, what’s really driving cyber risk, and what dealerships must do to protect themselves.
Cybercrime Is Evolving—and Dealers Are Squarely in the Crosshairs
The CDK breach proved two things:
- Dealers are extremely vulnerable.
You can’t “just switch DMS providers.” When CDK went down, paper became the only backup—and operations nearly stopped. - Cybercrime is big business.
As Shanken noted, the attackers behind CDK pulled in an estimated $25 million. That kind of payday only encourages more attempts.
Erik highlighted just how organized these criminals are:
“If cybercrime were its own country, it would be the fourth-largest economy in the world.”
These aren’t lone hackers in a basement—they’re coordinated teams with developers, data centers, social engineers, and project managers. And they’re looking for targets with money, data, and operational urgency. In other words: dealerships.
This is precisely why the traditional approach of “letting IT handle cybersecurity” breaks down—IT teams are trained to keep systems running, not to outsmart nation-state-level attackers. Cybersecurity requires a completely different skill set: threat hunting, incident response, forensic analysis, and 24/7 vigilance. Expecting IT to defend against a highly funded, highly technical adversary is like asking your service manager to perform brain surgery—both are experts, but not in the same field.
The Most Dangerous Attacks Aren’t Always Ransomware
Invoice fraud, vendor impersonation, and social engineering schemes are now some of the biggest threats. Criminals mimic real vendors, hijack payment flows, or strike during business changes—like payroll transitions.
Erik recalled a dealer who nearly wired hundreds of thousands of dollars to criminals after attackers phished their Microsoft credentials and created a fake payroll site. One click—and the money would’ve been gone.
Compliance ≠ Cybersecurity
One of the biggest misconceptions Erik and Justin both raised:
Checking your FTC boxes does not mean you’re safe.
Antivirus, MFA, backups, and security software satisfy compliance—but they don’t replace:
- 24/7 monitoring
- Dedicated cybersecurity expertise
- Real incident response capabilities
- Deep knowledge of how attackers actually breach dealer systems
Most IT teams simply aren’t trained for this. As Erik put it:
“Effective cybersecurity comes from expertise, not just checklists.”
Eight Moves Every Dealership Should Be Making Now
The experts agreed that proactive steps are non-negotiable. Dealers should:
- Bring in qualified cybersecurity professionals—IT is not cybersecurity.
- Treat compliance as the starting line, not the finish.
- Have offline backups that keep operations moving if systems fail.
- Scrutinize vendor defenses—your partners’ weaknesses become your own.
- Use banking fraud tools like Positive Pay and ACH controls.
- Train employees regularly on cyber awareness.
- Plan for litigation—lawsuits can become the biggest financial hit.
- Understand cybercrime as a business—one that sees dealers as lucrative targets.
The message is simple: Don’t be the low-hanging fruit.
Bottom Line: Cybersecurity Is Now a Core Business Investment
Dealerships know how to market, sell, and operate—but cybersecurity is a different discipline entirely. With attackers becoming more sophisticated and vendor risks rising, protecting your data, finances, and operations requires expert guidance and around-the-clock vigilance.
As Erik emphasized, the CDK breach wasn’t a fluke. It was a preview.
Dealers who invest in true cybersecurity expertise—not just compliance—will be the ones who stay protected, operational, and trusted.
