Car dealerships revert to pens and paper after cyberattacks on software provider

Original Article ↗ Hacker News Discussion ↗

Disaster Recovery vs. Business Continuity

  • DR is described as “how do we restore IT and get back to normal?”
  • BCP is “how do we keep the business running when ‘normal’ systems are unavailable, possibly without IT at all?”
  • A solid BCP can keep a company alive painfully while DR is in progress; DR without BCP can still doom the business.

CDK, Market Structure, and Security Culture

  • CDK (a dominant dealer management system vendor) is portrayed as highly entrenched with large market share alongside a small set of competitors, creating systemic fragility.
  • High switching costs, deep integrations (DMS, CRM, service, compliance, networks, even printers), and retraining needs make migration very hard.
  • Several comments link private‑equity style cost cutting, low engineering pay, outsourcing, and aging tech stacks to weak security and resilience.
  • Others note that high-paying or “better tech” firms also suffer breaches, so compensation alone doesn’t guarantee security.

Operational Impact on Dealerships

  • Many dealers reverted to paper: handwritten sales contracts, manual inventory walks, and ad‑hoc workarounds for F&I and service.
  • Some can still sell from lot inventory; parts/service and ordering supply chains appear more disrupted.
  • Experiences vary: a few report near-normal operation with delays; others describe severe constraints and lost sales.
  • Thread notes the irony that a local system outage would be survivable because customers can go to another dealer, but central SaaS failure hits everyone at once.

Monopoly, Franchise Laws, and Dealer Model

  • Strong criticism of dealer-franchise laws that block direct manufacturer sales and restrict new competing dealerships; characterized as regulatory capture and “government‑mandated” protection.
  • Debate over whether independent dealers add value (test drives, warranty service, local jobs, inventory risk) versus being rent‑seeking middlemen.
  • Tesla’s direct-sales model is cited both positively (transparent pricing, no “stealership” games) and negatively (service and parts delays, spotty repair networks).

Paper, Resilience, and Human Factors

  • Multiple comments defend paper processes as essential BCP: robust to power/network failures, easy to audit, and familiar from voting systems and 911 call workflows.
  • Downsides: poor searchability, physical risks (fire, loss), and degradation (e.g., thermal receipts fading).
  • Cyber incidents are framed as reasons to design graceful degradation and tabletop-tested fallback processes, not to abandon digital entirely.

Security Responsibility and Engineering Quality

  • Disagreement on blame: some say “Product” pushes insecure shipping; others argue most developers aren’t strongly advocating for security either.
  • Several anecdotes from adjacent automotive SaaS describe poor testing, weak CI, minimal backup planning, and rushed, sales-driven roadmaps—seen as typical, not exceptional.