Last month, multiple car dealerships and auto repair shops filed federal lawsuits against CDK Global LLC, a technology company providing software to the automotive, heavy truck, recreation, and heavy equipment industries, as a result of a data breach that caused its dealership management software systems to be out of commission.

The incident occurred last month when CDK’s systems were affected by a ransomware attack. On June 21, 2024, about 387 bitcoin (approximately $25 million) was sent to a cryptocurrency account controlled by hackers affiliated with a type of ransomware called BlackSuit. About a week after the ransom was paid, CDK began bringing its dealership customers back online to its software platform.

The complaints filed in the U.S. District Court for the Northern District of Illinois and the U.S. District Court for the Southern District of Florida both allege that the attack exposed consumer personal information and caused over 15,000 dealerships’ sales, financing, servicing and payroll operations to stop. CDK also faces several other lawsuits in the Northern District of Illinois filed by consumers who were allegedly affected by the breach.

The complaints allege that CDK negligently failed to protect consumer information and also alleges damages related to loss of commissions and sales.

BlackSuit’s malicious software is similar to other criminal group’s software and the group’s leadership has been conducting attacks like this since 2019. This is likely another example of a group being shut down by law enforcement and rebranding itself to continue attacks and extortions against U.S. companies.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.