The summer of 2024 started like any other. Dealerships were busy prepping new sales strategies, and another superhero movie had just hit theaters. But behind the scenes, something dark was brewing, and it changed the automotive industry forever. 

On June 19, 2024, an unprecedented cyberattack rocked the retail automotive industry. It was a full-scale disruption that left thousands of dealerships unable to perform even the most basic operations. Payments stalled, paperwork froze, and business stopped. 

The Calm Before Another Storm

Between July and November, activity dipped slightly. It wasn’t gone, but it got quieter. Some dealerships used the time to upgrade their defenses, partnering with cybersecurity providers like Proton. Others stayed the course, unaware that the next wave was already forming. 

December brought another surge. With staff stretched thin for the holidays and leadership focused elsewhere, cybercriminals took advantage. Data from our Security Operations Center saw a 110 percent increase in cyberattacks from the year prior. The kicker? These attacks weren’t just happening more often — they were smarter.

From phishing emails and malware to ransomware and data harvesting, cybercriminals used increasingly advanced tools to exploit dealership systems. Often, the damage was done before anyone even knew. A single click could silently open the door to attackers, allowing them to lie in wait, quietly collecting data until the time was right to strike.

They didn’t need brute force. Just patience. 

A New Attack Emerges

By March 2025, another wave of attacks introduced a new threat. One that hit dealerships where they didn’t expect: vehicle inventory media.

Malicious code was hidden inside images and videos of vehicles listed online. When customers viewed these assets, the malware silently downloaded to their devices. From there, attackers scraped browser histories, stole passwords, and in some cases, gained full remote access. That remote access could then be used to compromise everything from payroll to banking systems. 

Fortunately, Proton identified and shut down the attack early, working with website providers to remove infected files before widespread damage could occur. The message from these attacks is clear. Cyberattacks are evolving fast, and no corner of your dealership is off-limits. 

So, what can you do?

Here’s some good news. While cyberthreats are very real, they’re not unstoppable. The dealerships that survive these attacks in the best shape usually have one thing in common: Cybersecurity is treated as a core function of their business, and not an afterthought.

If you’re not sure where to start, here are five essentials we recommend for every dealership: 
  1. Train every dealership employee on how to recognize and avoid social engineering and
    phishing scams.
  2. Use high-quality email filtering and ensure that cloud systems and remote access have
    Multi-Factor Authentication configured for all users.
  3. Use quality Managed Detection and Response programs.
  4. Rely on professionals to monitor and maintain the dealership's security tools 24/7/365.
  5. Have an incident response and recovery plan ready to go for when the worst-case
    scenario occurs.
What happened in the summer of 2024 wasn’t a fluke. It was more like the start of a new chapter. Cybercrime has become more aggressive, more persistent, and more targeted — especially toward retail automotive.

Since the attack, cyber activity has remained nearly 250 percent higher than previous levels. Cybercriminals target dealerships daily. The question isn’t if a threat will come knocking, it’s when. The stronger your defenses, the better your chances of keeping the doors open, the data safe, and your customers’ trust intact.