CDK Global faces at least eight lawsuits from auto dealerships over cyberattacks that took down the software provider's dealer management system, crippling car sellers' operations.
The plaintiffs, who are employees or customers of car dealerships that use CDK tools, allege CDK did not adequately protect customer data and that the personal information of tens of thousands of people was likely exposed in the hack.
Tucson, Arizona-resident Omar Aviles, an employee of Asbury Automotive Group, one of CDK Global's roughly 15,000 clients, has filed a proposed class-action suit against the Illinois-based company, alleging it failed to protect the "litany of highly sensitive personal identifiable information" it had stored about former and current auto dealership clients and their customers and employees.
The trove of data was exposed due to CDK's "insufficiently protected computer systems," according to the complaint, filed in district court in Illinois.
On its website, CDK touts its cybersecurity capabilities, promising to "stop cyberattacks in their tracks."
"CDK Cybersecurity Solutions provide a three-tiered cybersecurity strategy to prevent, protect and respond to cyberattacks so you can defend your dealership," the website states.
Social Security numbers exposed
The suit, by contrast, claims that CDK "had no effective means to prevent, detect, stop or mitigate breaches of its systems — thereby allowing cybercriminals unrestricted access to its current and former clients'" personal data. That data includes Social Security numbers, employment history, driver's license info, financial account details and more.
The security failure stems from CDK's inadequate training of its own employees on on cybersecurity, the lawsuit claims. As a result, Aviles "fears for his personal financial security and worries about what information was exposed in the data breach" and is suffering from "anxiety, sleep disruption, stress, fear and frustration."
The collection of suits are seeking damages, as well as for CDK to better protect customer information.
"It's a disaster"
A second lawsuit from a group of dealers including Formula Sports Cars, Prestige Motor Car Imports, Bill Holt Chevrolet of Canton, Bill Holt Chevrolet of Blue Ridge and a pair of consumers, also claims CDK was negligent in protecting its clients. "CDK has failed to uphold its promises and responsibilities that it made throughout the course of its marketing campaigns making users feel at ease," the suit states in part.
"It's a disaster," said one affected dealer quoted in the lawsuit, in describing the toll of the breach on his business. "Customers are coming in, we're selling cars, but we can't book the deals, can't finance the deals or get them to the banks. Which means we cannot fund the cars or pay off the cars," he said.
Like stitching up a wound without cleaning it
After CDK was first breached, it restored its systems, only to be hacked a second time. In their suit, the dealers compare CDK's decision to restore systems without resolving underlying security issues to "a doctor stitching up a wound without first removing all the debris."
"Just as a wound not properly cleaned would lead to more infections and prolonged healing, CDK's rush to restore its system led to more breaches and, in turn, left car dealerships exposed to financial losses for longer periods of time," the lawsuit states.
CDK has not indicated if it will compensate affected dealerships for any financial losses or potential exposure to identity theft as a result of the cyberattack. A spokesperson for the company did not immediately respond to CBS MoneyWatch's request for comment on the lawsuits.
Megan Cerullo is a New York-based reporter for CBS MoneyWatch covering small business, workplace, health care, consumer spending and personal finance topics. She regularly appears on CBS News 24/7 to discuss her reporting.