In early 2023, hackers targeted car dealership Arnold Clark and threatened to release a huge amount of customer information onto the dark web unless they were paid a multi-million-pound crypto-currency ransom. The cybercriminals released an initial 15 gigabytes of sensitive data on 17 January 2023. A further 30 gigabytes of data was posted on the dark web on 14 February 2023, and on 31 March 2023, another 475 gigabytes of data was discovered on the dark web.
At KP Law, we believe that a mammoth data breach event has happened, yet the full extent of how this breach affects Arnold Clark customers may take months to become clear. Nevertheless, over the last few weeks we have started to see a significant rise in fraud reports being made following the data theft and dark web posts.
To date, the process of notifying customers has taken months, and many Arnold Clark customers still have not received notification of a data breach. As we publish this article, we have seen no evidence that Arnold Clark has begun notifying those customer’s whose data has recently been published on the dark web. This lack of communication from Arnold Clark leaves these customers exposed to fraud. We highly recommend anyone who has been a customer of Arnold Clark over the last 10 years – and perhaps even before that – to take immediate steps to protect themselves. Find out how to do this here.
We also believe that failures to adopt standard security measures may have made this attack easier. As such, we have launched a group action to help affected customers in England & Wales claim compensation. We currently represent in excess of 7,500 customers and are helping them to seek information and redress.
If your details were put at risk, Arnold Clark should write to you to let you know. The volume of data at risk leads us to believe that any customer of Arnold Clark in the last ten years has a high probability of their information being accessed. If you receive notification that your data was compromised in this breach, register to receive updates on our investigation.
If you have received an email confirming your involvement in the Arnold Clark data breach, you must save a copy. Some of our clients have reported receiving such notifications, only for their emails to later disappear.
Some organisations use self-destructing emails to automatically delete communications, either after a certain amount of time or when they request it. We do not condone this practice, especially in data breach cases where notification is widely used to prove an individual’s involvement in a breach and is thus vital evidence when making a claim. While we cannot be sure if Arnold Clark has set its emails to self-destruct, we have seen this happen in other cases. As such, we advise anyone who receives a data breach notification to keep a copy just in case.
You may be able to claim compensation for any distress or financial losses experienced because of this breach. If you live in England or Wales and you receive notification that your data was compromised, register with KP Law. We will provide updates on this case, and let you know if and when you can claim compensation for the privacy violation.
A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions. .
There are no costs to join our no-win, no-fee claim and if you lose, you won’t pay a penny. If your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you.
Victims of data breaches often become the target of cybercriminals and phishing attacks. Similar privacy violations have resulted in fraud, blackmail, and identity theft. As such, Arnold Clark customers are at high risk of being targeted by cybercriminals. Anyone who thinks they might be involved in the Arnold Clark data breach should take immediate steps to protect themselves.
Arnold Clark experienced a cyber security incident on 23rd December 2022. This is reported to have been carried out by the Play ransomware cartel. On 28 January 2023, Arnold Clark released a statement about the attack. In this, the company appears to admit that, while its IT systems are capable of being set up so that they are not vulnerable to external attacks, work to achieve this started after the hack. Did Arnold Clark unwittingly admit that poor data security made this hack possible?
A failure to adopt standard security measures often makes such attacks possible. If Arnold Clark did not have adequate protections in place, it must be held responsible for any loss or distress experienced by its customers because of this breach.
The list of potentially compromised data includes customer:
It is not yet clear why Arnold Clark did not notify its customers “without undue delay”, which it should have done. As far as our data protection solicitors can tell, there is no good reason for this delay. By not letting customers know about the risk immediately, Arnold Clark left them at a very high risk of further cyberattacks, fraud and identity theft.
A statement from the car dealership says:
On the evening of 23 December 2022, Arnold Clark Automobiles was a victim of a cyber attack. Our external security network consultants alerted us to unusual activity on our network, and we immediately took steps to minimize the impact of the attack by removing all external connections to our network to protect our customer data, third-party partners and our systems.
“While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold. Due to the type of cyber attack that we have been subjected to, it is extremely difficult to accurately identify what has been stolen; however, our teams are working with our external advisors to understand the exact nature and extent of that data.
“While this crime and theft of data has been targeted towards Arnold Clark, we recognise the impact this could have on our partners and customers. We take their safety and the safety of their data very seriously, therefore while further analysis is ongoing, we are taking the following steps now:
During this incident we have been in constant communication with the regulatory authorities and have sought useful guidance from the police, and we will continue to do so to help other companies learn from our experience and be better prepared for possible situations such as this.
As a result of this incident, we have taken the decision to rebuild our networks in a new segregated environment, which has meant that our operational systems are not yet fully functional, so we apologise for any inconvenience this may cause our customers.
If you need to contact us about this incident, you can do so by contacting Arnold Clark Customer Services.
In our regular update, we provide a roundup of some of the data breaches and… Read More
We have launched a group action against MOVEit/Zellis. Group actions can be a powerful tool… Read More
The number of organisations affected by the MoveIt Data Breach is still rising, despite the… Read More
We have launched a group action against 23andMe. Group actions can be a powerful tool… Read More
The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach… Read More
We have launched a group action against Capita. Group actions can be a powerful tool… Read More