The June 2024 CDK Global ransomware attack shut down ~15,000 dealerships across North America. Floor plan funding froze. Service queues backed up. F&I couldn't close a deal. It started with a phishing email. One trained employee changes everything.
Attackers impersonate floor plan lenders (NextGear, AFC, Ally Floorplan) or payoff banks with spoofed emails that look identical to normal funding instructions. F&I managers receive a "updated wire routing" notice mid-deal — the payoff goes to a fraudulent account. Average loss per incident exceeds $180,000 and recovery is nearly impossible once the wire clears.
Phishing emails impersonating DMS support portals ("CDK Security Alert — verify your credentials"), OEM manufacturer portals, and factory incentive platforms harvest staff login credentials. Once attackers own DMS credentials, they access customer SSNs, financing applications, income documentation, and deal files for every transaction in the system.
F&I departments collect some of the most sensitive consumer data in any industry — SSNs, driver's license numbers, income verification documents, credit application data, and bank account information. A single compromised F&I workstation exposes every customer who applied for financing. The FTC Safeguards Rule requires documented procedures for handling and protecting this data — gaps invite both regulatory action and class-action exposure.
The CDK Global incident showed exactly what happens when a DMS vendor goes down under ransomware — but attackers also target individual dealerships directly. Ransomware encrypts service lane systems, parts inventory, and CRM platforms simultaneously. With no DMS access, sales can't desk deals, service can't write ROs, and F&I can't fund contracts. Every day of downtime costs a mid-size dealership $50,000–$150,000 in lost gross.
Auto dealerships are explicitly covered by the FTC Safeguards Rule (16 CFR Part 314) — effective June 2023, every dealership handling customer financial information must have a written information security program (WISP), conduct annual risk assessments, and provide security awareness training to all staff. Non-compliance exposes dealers to FTC enforcement actions and state AG investigations. PCI DSS applies to service and parts departments processing card payments. State data breach notification laws require prompt customer notification after any exposure of SSNs, driver's license numbers, or financial application data — all of which flow through your DMS daily.
"After CDK, our dealer principal called an all-hands and asked who had received suspicious emails in the weeks before. Three hands went up — they had clicked links they thought were from CDK support. We hadn't trained anyone. SecurEveryone trained all four of our rooftops in a single Business session. The difference in how our team talks about phishing now is night and day."
— General Manager, Multi-Rooftop Franchise Group (4 locations)
"Our F&I team was handling wire instructions for floor plan payoffs over email with zero verification protocols. SecurEveryone walked through an exact scenario — fake lender email, updated routing number, pressure to close same-day. Every F&I manager at our store now calls back a verified number before any wire leaves. That protocol has already stopped one attempt."
— Dealer Principal, Independent Pre-Owned Dealership
"The FTC Safeguards Rule required us to have a written information security program and documented staff training by June 2023. We had neither. The Executive session gave us the WISP framework and the training records we needed. Our cyber insurance carrier accepted it as evidence of compliance at our next renewal."
— IT Director, Regional Franchise Dealer Group (7 rooftops)
The FTC Safeguards Rule (16 CFR Part 314), effective June 2023, requires auto dealerships that handle customer financial information to: (1) designate a qualified individual to oversee your information security program, (2) conduct a written risk assessment, (3) implement a written information security program (WISP) with specific technical, administrative, and physical safeguards, (4) provide security awareness training to all staff with access to customer information, and (5) test and monitor your program annually. Non-compliance can result in FTC civil penalties up to $51,744 per violation per day. Our Business session produces a documented training completion record and provides a WISP framework tailored to dealership operations.
DMS credential hygiene is the single highest-impact control for dealership cybersecurity. The most common gaps are: shared credentials across multiple staff members, no MFA on DMS admin accounts, credentials reused from personal accounts, and no offboarding procedure when staff leave. Our training covers a DMS-specific credential hygiene protocol: unique credentials per user, MFA enrollment on every platform that supports it, quarterly credential audits, and an immediate revocation checklist for departing employees. The CDK incident demonstrated exactly why individual accountability in DMS access matters.
F&I handles more sensitive consumer data per transaction than almost any other retail business — credit applications, income documents, SSNs, driver's license scans, and bank statements. The FTC Safeguards Rule requires documented procedures for data retention, disposal, and access controls for all customer financial information. Practically, that means: encrypted storage for digital documents, clean-desk procedures for paper applications, shredding protocols for disposed documents, role-based access so service and sales staff can't access F&I records, and a retention schedule that removes records you no longer need. Our F&I-focused training covers all of these in the context of a real deal workflow.
Yes — that's exactly what the Business tier is designed for. One $900 flat-rate session covers unlimited participants across all of your rooftops simultaneously via Zoom. We structure multi-rooftop sessions with department-specific breakouts: sales and BDC, F&I, service and parts, and management — so each group gets training relevant to their actual role. A single session produces training completion records for every location, which satisfies the FTC Safeguards Rule documentation requirement and is typically accepted by cyber insurers as evidence of annual training. Most multi-rooftop groups recoup the $900 in the first wire fraud attempt the training prevents.
If your DMS or any dealership system is hit by ransomware or a credential breach: (1) Isolate immediately — disconnect affected workstations from the network to stop lateral spread; (2) Activate paper-based downtime procedures for service write-ups, deal desks, and F&I; (3) Contact your DMS vendor's security response line; (4) Call a breach response attorney before you call your IT vendor — attorney-client privilege protects your investigation; (5) Notify your cyber insurer within the required timeframe (typically 24–72 hours); (6) Determine if customer SSNs, financing application data, or payment card data was accessed — this triggers FTC Safeguards Rule notification obligations and potentially state breach notification laws. Our Business session includes an incident response decision framework and a dealership-specific IR worksheet.
Take our free Phishing IQ Quiz to benchmark your team's awareness in 5 minutes — or book a 15-minute consult with one of our instructors.