UnHacked Episode 23 - Summary
The CDK Breach:
- Occurred on June 19th, 2024
- Perpetrated by ransomware group "Black Suit"
- CDK is a SaaS provider serving 15,000+ car dealerships
- Manages dealerships' inventory, parts, service, accounting, insurance, CRM, and sales operations
- Complete system outage affected operations across all client dealerships
- Ransom paid: $25 million
- Estimated total financial impact: Over $1 billion
- Recovery took approximately 2 weeks, with dealerships being restored at roughly 50 per hour
Operational Impact on Dealerships:
- Many dealerships couldn't conduct test drives due to locked key management systems
- Unable to process sales or complete paperwork
- Couldn't access inventory systems
- Sales staff compensation severely affected during prime summer sales season
- Some dealerships had manual backup processes and continued operations limited
Key Lessons & Takeaways:
1. Incident Response Planning:
- Most plans focus only on post-breach procedures
- Need to include business continuity planning
- Should detail how to maintain operations during an outage
- Must consider employee compensation during downtime
2. Security Training:
- Lawsuits allege inadequate security awareness training
- Training must be mandatory, not optional
- Documentation of training completion is crucial
- Need to track and address non-compliance
3. System Access:
- Principle of least privilege wasn't properly implemented
- Lateral movement across network suggests excessive access rights
- Need to restrict access based on actual job requirements
4. Ransom Considerations:
- Criminals research victim's insurance coverage to set ransom amounts
- Paying ransom doesn't guarantee immediate recovery
- Payment might be illegal if group is on terror watch list
- Paying could make organization a target for future attacks
