This is the second post in a series where we investigate major breaches through alternative data: social media, employee reviews, workforce signals. We're looking at what was publicly visible before each breach, what it meant, and what it might mean for how we assess cyber risk.
Eight months before BlackSuit ransomware shut down nearly 15,000 dealerships, CDK Global published its third annual cybersecurity report, warning the auto industry that 17% of dealers had been attacked in the past year. Its website promoted a “three-tiered cybersecurity strategy to prevent, protect and respond to cyberattacks.”
On June 18, 2024, the BlackSuit ransomware group hit CDK Global, the dominant provider of dealer management software to the U.S. auto industry. A second attack struck during the recovery attempt the next day, resulting in a two-week blackout that froze sales, financing, and payroll across the U.S. auto industry. Anderson Economic Group estimated direct dealer losses at $1.02 billion. CDK almost certainly paid a $25 million ransom. Post-breach lawsuits allege CDK “had no effective means to prevent, detect, stop or mitigate breaches of its systems“ and attribute the failure to inadequate employee cybersecurity training.
CDK has never disclosed the attack vector. No reporting or court filing identifies the entry point. However, eSentire's Threat Intelligence team identified a large number of CDK domains in credential logs being sold online, noting that these could have been purchased and used for access if the credentials remained valid.
Our 90 signals document what happened to CDK’s workforce, technology, and security governance after Brookfield acquired the company in July 2022 with heavy debt financing.
We organized signals into four categories:
Organizational Instability (68)
Tech & Security Dysfunction (22)
Financial Distress (27)
Product & Service Degradation (38)
Glassdoor is our primary source (59%). Reddit (24%) offers the client and practitioner perspective, while the remaining signals come from TheLayoff, Indeed, and Blind.
The full dataset (90 signals, sources, dates, and our categorization) is available here.
CDK was breached in June 2024, so we can’t retrieve SecurityScorecard’s pre-breach scores as we did for TCS. Its public interface only shows the trailing twelve months. But our argument is that the risk factors we document aren’t in scope for what such ratings measure.
In April 2022, Brookfield Business Partners, a publicly traded Canadian entity within the Brookfield Asset Management ecosystem, announced it would acquire CDK for $54.87/share (~$8.3 billion enterprise value). The deal closed in July 2022, financed with approximately $5.8 billion in debt, including a $5 billion loan package and $750 million in high-yield bonds. Brian MacDonald, who had led CDK from 2016 to late 2018, returned as CEO. What followed, according to employees across every level of the organization, was aggressive cost extraction.
A director with 3+ years at CDK headquarters in Hoffman Estates, writing in February 2024:
[...] in short period of time after spun off, unexperienced management hit by hedge fund short term focus demands, all the energy drained to put financial focus, lots of C level change, missed long term product improvement while focusing on short term margin gains with off sourcing [...] Advice to management: “stabilize the talent drain”.
A trainer with 10+ years who left in February 2024 quantified the pressure:
CEO cares more about profit margin than anything else. A 30% margin wasn’t good enough for him, even though we had the best customer retention, new sales and customer satisfaction scores we’d had in years. He immediately instituted across the board layoffs to lower operating costs and raise profit margin (he wanted 40%).
In February 2023, CDK struck an outsourcing deal with Genpact covering “enterprise information technology unit, as well as parts of its technology, product, customer, finance, and procurement divisions”. The terms of that contract are unknown: what security baselines were required, what access controls were specified, and what governance was retained in-house. CDK employees described it as a workforce replacement program. A self-described former executive on TheLayoff.com laid out a five-year plan: continuously lower costs, future layoffs of those who had already transferred to Genpact, and an end state of virtually no US-based customer support to increase the profitability multiplier for an eventual IPO. A current CDK employee in the same thread confirmed the account.
The pattern was consistent: multiple rounds of layoffs, jobs moved offshore or to Genpact, institutional knowledge draining faster than it could be replaced.
The tech debt and systems instability that employees described was the downstream consequence of the financial squeeze. It was visible from two independent directions: CDK employees and CDK customers.
From CDK insiders, a TheLayoff.com post in June 2023:
CDK had become an EMBARRASSMENT to its clients. CDK can no longer hold a stable meeting to show its software. Teams are over worked and by the time anyone gets anywhere the CEO fired and lays off everyone. No one has any clue how anything works and cannot bring any stability to work with what they have.
A Director of Software Engineering with 3+ years in Portland, August 2023:
Constant struggle between the ‘new’ and the ‘legacy’ and a scrambled strategy as to how to bridge the two effectively. This is, unfortunately, a familiar story with CDK as they’ve been trying to modernize for decades.
Customers saw the same thing. Reddit posts from various dealership staff described systems failing repeatedly; one user noted the software had “been up for 3 minutes and then down for 30,” while others characterized the platform as “antiquated and built on old tech.” Eight days before the attack, a dealership parts employee on r/partscounter described a daily ordeal:
it reboots back to the main screen takes me not even exaggerating 15 minutes every morning to log in of constantly retrying [...] I have been on 6 different calls with 6 different people, they all [...] say hmm I’m not really sure. CDK wants our dealerships I.T. Guys to come out and look at my computer since CDK doesn’t know how to fix it.
A CDK customer service representative in March 2024:
Their software is so outdated that it is constantly crashing and they don’t have an in house IT department. The managers who have no training in IT attempt to troubleshoot but it is always ineffectual. They blame everything on your internet connection.“
The signals above describe what happens when an organization cuts faster than it can absorb. But CDK’s problem wasn’t just operational strain, it was also the absence of anyone at the top whose job was to manage the security consequences.
CDK did not appoint its first publicly identifiable CISO (David Hahn) until December 2020. Ballistic Ventures announced Hahn as its inaugural CISO-in-Residence in December 2022, suggesting he may have departed CDK before or around the time the Genpact outsourcing was announced in February 2023. We found no public evidence of a successor before the breach.
One post-breach observation is worth flagging separately. A poster noted that “the company had some odd items happen in April or May where they shut down customers’ stuff for a weekend.” They asked: “Was that initial access?“ We can’t verify this, but it’s consistent with BlackSuit’s documented pattern of establishing persistent access before deploying encryption.
A self-identified former CDK employee, writing one day after the attack, connected the dots:
They are absolutely one of the most incompetent organizations I have ever had the displeasure of being a part of from both a management and cybersecurity perspective. I am not surprised this has happened and I assume the attack is much worse than CDK Global has disclosed.
No single decision created the breach conditions. They were a systemic response to financial pressure: debt servicing drove cost extraction, cost extraction drove layoffs and outsourcing, and what was left was an organization running on less institutional knowledge, fewer experienced staff, and weaker oversight than what it replaced.
We do not know the attack vector. CDK has not disclosed how BlackSuit gained initial access. Without this, we cannot establish a causal link between any organizational factor and the breach. Everything in this post is about pre-conditions, not causation.
We cannot connect Genpact to the intrusion. No evidence identifies Genpact’s systems or credentials as part of the attack chain. The outsourcing is relevant as a structural risk factor.
The TCS case showed what happens when a critical vendor is under strain. CDK shows where the strain comes from: acquisition debt that requires cost extraction on a timeline. The question is whether CDK is an outlier or a pattern.
While Brookfield Business Partners is a publicly listed permanent capital vehicle rather than a traditional private equity (PE) fund, the playbook was the same. Because the financial incentives are identical, the PE portfolio data below are directly relevant to the risks we documented at CDK, irrespective of the owner's legal structure.
Three independent surveys from 2025/2026 examined cybersecurity risk across PE portfolios:
S-RM: 72% experienced a serious cyber incident within their portfolio in the past three years. Just 54% confirmed all portfolio companies had a tested incident response plan.
Kroll: 80% experienced cyber disruption during the hold period. 94% absorbed financial losses, averaging $2.1 million per incident. Only 15% of smaller firms have a dedicated cyber risk leader.
QBE: 60% of PE firms reported that fewer than half of their target companies had cyber insurance before acquisition.
A separate FTI Consulting study, focused on cybersecurity during M&A transactions, found a similar gap at the executive level. A third of CISOs reported they are not meaningfully involved in transaction decisions. One in three said they can’t stop a deal even if the cybersecurity risk is too high. Only 23% of executives manage cybersecurity proactively after close.
Whether PE ownership systematically increases breach risk remains largely unexamined in academic literature. The closest parallel we found is healthcare: a study published in the Review of Financial Studies found that PE acquisition of US nursing homes increased patient mortality by 11%, driven by staffing cuts and reduced compliance. Similarly, according to a 2023 JAMA study, PE-owned hospitals saw a 25% increase in hospital-acquired conditions, including a rise in falls and central line-associated infections. The mechanism documented in these studies mirrors the trajectory our signals describe at CDK.
Beyond the operational chaos, the financial fallout exposes the true price of the debt-to-extraction model. CDK defended premium dealer pricing in an antitrust lawsuit partly because the fees funded cybersecurity infrastructure and then settled that case for $100 million two months after the breach. In January 2025, CDK settled a separate antitrust suit by software vendors accusing it of inflating data-access fees for $630 million. That’s $730 million in antitrust settlements from a company that was simultaneously cutting the workforce and infrastructure those fees were supposed to fund.
The cost extraction was designed to service Brookfield’s acquisition debt and increase the profitability multiplier for an eventual exit. When BlackSuit hit, it was the dealers who absorbed $1 billion in losses. The people who set the financial structure that created the breach conditions are not the people who paid when those conditions were exploited. The cost chain extends further: Travelers, acting as subrogee for dealership groups like Mills Auto Group, is currently litigating in federal court to recover over $1.1 million in indemnity payments. In late 2025, the court dismissed CDK's negligence and gross negligence claims under the economic loss doctrine but allowed the breach-of-contract claims to proceed.
We rate companies on patch cadence and firewall configurations. We don’t rate them on how much debt their owner took on to buy them or how many people who understood the systems were laid off to service it. After CDK, it’s challenging to argue that’s enough.
If you think it’s worth sharing, please do.