In December 2022, cybercriminals hacked Arnold Clark and demanded that the car dealer group pay a multi-million-pound ransom in return for not uploading customer information to the dark web. To demonstrate they were serious, the hackers initially uploaded 15 gigabytes of sensitive data. And it appears the cybercriminals have now upped the ante and carried out their threat as another 30 gigabytes of data has been found on the dark web.
The latest files were uploaded last night (14/02/2023). It is likely that this recent data is designed to put more pressure on Arnold Clark to pay up.
Tens of thousands of people are now at risk as their compromised personal information is readily available online.
According to Arnold Clark: “Unsigned copies of finance agreements” from 2019 and earlier are believed to have been stolen in the hack. These documents are likely to include customer names, addresses, vehicle registration numbers, and bank account and sort code details. At KP Law, we have seen cases where such sensitive data is purchased on the dark web and used to carry out identity theft, fraud, and phishing scams. As such, the consequences of the Arnold Clark data breach could devastate customers.
On 28 January 2023, Arnold Clark released a statement about the attack. In this, the company appears to admit that, while its IT systems are capable of being set up so that they are not vulnerable to external attacks (such as when systems are built within a segregated environment), work to achieve this is only happening now. Has Arnold Clark unwittingly admitted that poor data security made this hack possible? And if the system had been built correctly in the first place, would customer data have been protected?
Anyone who has purchased, sold, rented a vehicle, or had any servicing or repairs carried out by Arnold Clark within the last ten years could be affected by the hack. Arnold Clark is now notifying those affected, but any customer of Arnold Clark should be on guard against fraud and take immediate steps to protect themselves. Find out how to do this here.
If you receive notification that you are affected by the Arnold Clark data breach, register below to receive updates on our investigation. If we uncover that poor security processes led to personal information being compromised, we will launch a data breach group action to help affected customers in England & Wales claim compensation for the security failures.
In our regular update, we provide a roundup of some of the data breaches and… Read More
We have launched a group action against MOVEit/Zellis. Group actions can be a powerful tool… Read More
The number of organisations affected by the MoveIt Data Breach is still rising, despite the… Read More
We have launched a group action against 23andMe. Group actions can be a powerful tool… Read More
The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach… Read More
We have launched a group action against Capita. Group actions can be a powerful tool… Read More