Celebrity Motor Car Co.’s four franchised dealerships have sued CDK Global, accusing it of soliciting business by emphasizing the risks of a dealership breach and the cybersecurity CDK could provide — only to be hacked and become unavailable to retailers after the June breach.
“Without a doubt, CDK intentionally failed to implement adequate or even reasonable security measures, despite its claims of vigilance and its own vaunted experience and expertise in the area of cybersecurity,” Celebrity Stores wrote in its lawsuit.
“As a result, CDK knew or should have known that its systems were susceptible to intrusion and that there was a reasonable likelihood that Celebrity’s business would be substantially disrupted.”
The case was originally filed in Morris County Superior Court in New Jersey on July 16, but was transferred to the U.S. District Court of New Jersey on August 16. The court sent the case to arbitration the same day.
CDK did not return an emailed request for comment on Aug. 29 on behalf of itself and subsidiary IP Networked Services, which was also named as a defendant. However, the two companies wrote in their Aug. 16 request to move the case to federal court that they “clearly dispute that plaintiffs are entitled to any damages.”
Lexus of Route 10 in Whippany, BMW of Springfield and Celebrity Ford of Toms River in New Jersey, and Mercedes-Benz of Goldens Bridge in New York accused CDK and its subsidiary of: fraudulent inducement; breach of the covenant of good faith and fair dealing; tortious interference with a prospective economic advantage; misrepresentation; unjust enrichment; and violation of the New Jersey Consumer Fraud Act or, in the alternative, violation of the Illinois Consumer Fraud Act.
According to the dealers’ lawsuit, in 2021, CDK proposed to Celebrity, which was already a CDK customer, to expand the stores’ information technology services, “including cybersecurity solutions to protect against cybersecurity threats and to protect Celebrity’s IT systems from disruption that would compromise and/or impair the business functions of Celebrity’s dealerships.”
Celebrity said CDK told the group how frequently cyberattacks occurred, how a system outage could disrupt store operations and the risk of customers abandoning a dealership after their data was compromised.
“Not only did CDK attempt to heighten Celebrity’s fear of an IT outage and the effect this would have on Celerity’s business and customers, but CDK…made it clear to Celebrity that by further engaging with CDK and its IT solutions, Celebrity would not need to worry about the security of its data, and that CDK’s IT solutions were fully equipped and would protect Celebrity’s most valuable assets.
“Indeed, CDK stated that it would provide a robust defense against threats targeting Celebrity, utilizing a three-tiered approach: (i) a prevention layer that stops threats before they can penetrate Celebrity’s dealerships; (ii) a protection layer that monitors and detects cyberattacks, blocking them before they can cause damage; (iii) and a response layer to contain any threat to Celebrity’s business and enable Celebrity to recover quickly after an attack.”
Celebrity dealerships said the group “has been induced to continue/extend and/or expand its relationships with CDK across its various dealerships.”
CDK Global suffered two cyberattacks on June 19 in what it called a “cyber ransomware event” and shut down its software as a precaution. It began bringing dealerships back online on June 29 and said most customers were back online by July 2.
“We are pleased to report that after conducting a thorough third-party expert review of the June 19 cyber incident, we have not discovered a compromise of personally identifiable information of dealership employees or consumers that would give rise to any reporting obligations related to the incident,” a CDK spokesperson told Automotive News in an emailed statement on Aug. 26.
“Now, dealers can reassure their employees and consumers that their data is secure and remain focused on delivering great experiences throughout the entire car buying and ownership journey.”
Celebrity said the CDK closure came “without prior notice” and had disrupted “all Celebrity business operations generally.” [of] its dealerships to shut down and create a substantial crisis for Celebrity.” The group said its operations were still “impaired” in the July 16 filing.
CDK said in a July 11 statement that all of its “major applications are now available,” and CEO Brian MacDonald told Automotive News that as of July 18, “most OEM integrations have been reinstated and nearly 90 percent of third-party software integrations are now active.”
The lawsuit said that during the outage, CDK “was unable to remedy the disruption of its services, contrary to representations made when inducing Celebrity to purchase additional services, provided no guidance to Celebrity, and all CDK support lines and means of communication directly with CDK were shut down. In short, CDK, throughout the Crisis, remained unavailable to provide any guidance or remediation.”
“There is no doubt that CDK’s failure to provide services to Celebrity has caused and is causing not only irreparable harm to Celebrity’s goodwill, reputation and relationship with its customers, but also substantial monetary losses, all of which are ongoing and cumulative.”
The celebrity accused CDK of “a massive fraud to illegally induce [Celebrity]and likely other similarly situated car dealers, to enter into MSAs and other agreements with CDK in order to obtain payment of sums to which they would not otherwise be entitled.”