What Happened
On June 19, 2024, CDK Global — the DMS provider serving roughly 15,000 car dealerships in North America — was hit by a ransomware attack. The company shut down its systems entirely. Dealerships could not access their DMS, process transactions, look up customer records, or manage inventory.
The outage lasted nearly three weeks. Dealers reported writing paper deals, tracking inventory on whiteboards, and manually processing loans by phone. The estimated cost to the industry exceeded $1 billion, and individual dealer groups reported losses of $500,000 to $2 million or more during the shutdown.
Beyond Cybersecurity
The immediate reaction focused on cybersecurity: How did attackers get in? Was the ransom paid? What security measures should CDK have had in place? These are valid questions, but they miss the deeper lesson.
The real question is: Why did one company's outage cripple 15,000 businesses?
The answer is vendor lock-in. Most of those 15,000 dealerships had no way to access their own data outside of CDK's systems. Customer records, deal histories, inventory data, accounting records — all of it was trapped inside a single vendor's platform with no portable backup.
The Data Portability Problem
Dealership software has historically operated on a model of data captivity. Your DMS holds your data, but you do not have easy access to export it, move it, or use it in other systems. If you want to switch DMS providers, the migration process can take 6-12 months and cost hundreds of thousands of dollars.
This creates a dangerous dependency. When your entire operation — sales, service, parts, accounting, customer communication — runs through a single vendor that controls your data, you are one outage away from a complete shutdown.
Warning Signs
The CDK attack was dramatic, but smaller disruptions happen constantly:
- Vendor outages that take your website offline for hours
- CRM providers that make it difficult to export your customer list
- Integration partners that shut down, taking your data connections with them
- Contract disputes where a vendor threatens to cut off access to your own data
What Data Portability Looks Like
Data portability means you can access, export, and use your data at any time, in standard formats, regardless of which vendor hosts it. In practice, this means:
- Regular automated backups: Your customer, inventory, and transaction data is automatically exported to storage you control — not just backed up within the vendor's ecosystem.
- Standard data formats: Data is stored and exportable in formats like CSV, JSON, or standard database exports — not proprietary binary formats that only the vendor can read.
- API access: You have full read/write API access to your own data, allowing you to build integrations, run reports, and sync with other systems.
- Multi-vendor architecture: Critical functions are spread across multiple independent systems rather than concentrated in one platform.
- Contractual data rights: Your vendor agreements explicitly state that you own your data and can export it at any time, in any format, with no additional fees.
Moving Forward
The CDK attack was a wake-up call. Dealers who took it seriously have since diversified their technology dependencies, established independent data backups, and negotiated stronger data ownership clauses in their vendor contracts.
The lesson is not that CDK was uniquely vulnerable. It is that any single point of failure is a risk. The dealers who build resilient technology stacks — with portable data, multiple vendors, and independent backups — are the ones who will keep operating when the next disruption hits.