Fraud Management & Cybercrime , Ransomware

Ransomware Leads to $30M in Lost Income at Sonic Automotive

Numerous Dealers Disrupted by Attack Against Software Provider CDK Global
Ransomware Leads to $30M in Lost Income at Sonic Automotive
A ransomware attack on a auto dealer software provider cut into dealers' profits. (Image: Shutterstock)

Ransomware attacks are continuing to take a bite out of corporate profits.

See Also: Live Webinar | Crack Australia’s Code on Ransomware: Empowering Your Last Line of Defence

On Monday, publicly traded Sonic Automotive told investors that a recent ransomware attack against one of its key service providers caused earnings per share to sink by a third during the quarter ending June 30.

Based in North Carolina, Sonic Automotive is one of the 500 largest U.S. publicly traded companies and the country's fifth largest automotive retailer, measured by revenue.

A June ransomware attack against CDK Global, a back-end software provider used by about 15,000 auto dealerships across the United States and Canada, plunged much of the North American auto retailer sector into a pre-digital era, resulting in lost sales.

CDK Global suffered on June 19 what it later described as being a "cyber ransom event," leading to the company deactivating numerous systems, including its dealer management system, which supports such dealership operations as sales, inventory and accounting, as well as its customer relationship management system.

A number of major auto dealerships - including Penske, Sonic Automotive and Lithia Motors - warned investors via SEC filings that the DMS and CMS software disruptions were having a knock-on effect on their own operations.

Sonic Automative said its GAAP earnings per diluted share for the second quarter amounted to $1.18. Due to CDK Global disruption, that was $0.64 lower than it would have been, "after factoring in estimated lost income and expenses attributable to the incident." The amount does not take "into account any potential recoveries." Diluted share reporting divides net income by the total number of outstanding shares as well as shares authorized for issuance.

"The outage is estimated to have reduced second quarter GAAP income before taxes by approximately $30 million, and net income by approximately $22.2 million, or $0.64 in diluted earnings per share," the company reported in an earnings presentation.

Of the $30 million in lost income, about $11.6 million tied to "excess compensation" paid to employees "as a result of the CDK outage," the company said. David Smith, the company's chairman and CEO, said on a Monday earnings call the compensation was paid to employees "who had reduced income potential due to the CDK outage."

A CDK Global spokesperson told Information Security Media Group on June 24 that the company expected to restore all systems within "several days." The company declined to comment on reports that it paid a ransom to the BlackSuit ransomware group worth tens of millions of dollars.

Multiple dealerships and consumers have filed federal lawsuits against CDK Global over the ransomware attack and resulting disruption.

Key Tronic: $17 Million in Losses

Sonic Automotive and other CDK Global customers are far from the only businesses to have lately reported that a ransomware attack had a material impact on their operations.

For printed circuit board assembly maker Key Tronic Corp., the total cost of the fallout caused by a recent ransomware attack due to expenses and lost orders now stands at over $17 million, although some of that may be recoverable.

Key Tronic, publicly traded and based in Washington, was founded in 1969 as a keyboard manufacturer. The company operates facilities in the U.S., as well as Mexico, China and Vietnam, offering value-added design and manufacturing services, including printed circuit board assembly.

In May, the business got hit by a ransomware attack and data breach for which the Black Basta group later claimed responsibility.

"Due to this event, the company incurred approximately $2.3 million of additional expenses and believes that it lost approximately $15 million of revenue during the fourth quarter," the company said in a Friday filing, announcing preliminary results for the fourth quarter of its fiscal year, which ended June 29.

On the upside, "most of these orders are recoverable and are expected to be fulfilled in fiscal year 2025." The company also said an insurance policy paid $700,000, partially offsetting expenses.

The company first disclosed on May 8 "unauthorized third party access to portions of its IT systems," saying it detected the attack two days earlier and immediately brought in outside cybersecurity experts to investigate.

"The incident has caused disruptions, and limitation of access, to portions of the company's business applications supporting aspects of the company's operations and corporate functions, including financial and operating reporting systems," it said at the time, noting that parts of its IT system remained offline.

The company later reported the attack disrupted systems at its sites in both Mexico and the United States, triggering an approximate two week halt in operations.

The Black Basta ransomware group subsequently leaked 530 gigabytes of stolen data, which it claimed included HR, finance and engineering information, as well as other "corporate data" and "home users data." Leaked information included screenshots of employees' passports and Social Security numbers, reported Bleeping Computer.

Key Tronic didn't immediately respond to a request for comment about whether it paid any ransom. Ransomware groups traditionally only list a victim on their data-leak sites and then leak stolen data if they haven't received a ransom. Such tactics are designed in part to scare future victims into paying (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.