A further 475GB of data found on the dark web following the Arnold Clark data breach  


In early 2023, hackers targeted car dealership Arnold Clark and threatened to release a huge amount of customer information onto the dark web unless they were paid a multi-million-pound crypto-currency ransom. The cybercriminals released an initial 15 gigabytes of sensitive data on 17 January 2023. A further 30 gigabytes of data was posted on the dark web on 14 February 2023, and on 31 March 2023, another 475 gigabytes of data was discovered on the dark web.  

At KP Law, we believe that a mammoth data breach event has happened, yet the full extent of how this breach affects Arnold Clark customers may take months to become clear. Nevertheless, over the last few weeks we have started to see a significant rise in fraud reports being made following the data theft and dark web posts. 

To date, the process of notifying customers has taken months, and many Arnold Clark customers still have not received notification of a data breach. As we publish this article, we have seen no evidence that Arnold Clark has begun notifying those customer’s whose data has recently been published on the dark web. This lack of communication from Arnold Clark leaves these customers exposed to fraud. We highly recommend anyone who has been a customer of Arnold Clark over the last 10 years – and perhaps even before that – to take immediate steps to protect themselves.  Find out how to do this here.  

We also believe that failures to adopt standard security measures may have made this attack easier. As such, we have launched a group action to help affected customers in England & Wales claim compensation. We currently represent in excess of 7,500 customers and are helping them to seek information and redress.  

Here are some of the questions our expert data breach solicitors have been asked about the Arnold Clark data breach so far:

Am I affected by the Arnold Clark data breach?

If your details were put at risk, Arnold Clark should write to you to let you know. The volume of data at risk leads us to believe that any customer of Arnold Clark in the last ten years has a high probability of their information being accessed. If you receive notification that your data was compromised in this breach, register to receive updates on our investigation.   

If you have received an email confirming your involvement in the Arnold Clark data breach, you must save a copy. Some of our clients have reported receiving such notifications, only for their emails to later disappear. 

Some organisations use self-destructing emails to automatically delete communications, either after a certain amount of time or when they request it. We do not condone this practice, especially in data breach cases where notification is widely used to prove an individual’s involvement in a breach and is thus vital evidence when making a claim. While we cannot be sure if Arnold Clark has set its emails to self-destruct, we have seen this happen in other cases. As such, we advise anyone who receives a data breach notification to keep a copy just in case.

Can I claim compensation for the Arnold Clark data breach?

You may be able to claim compensation for any distress or financial losses experienced because of this breach. If you live in England or Wales and you receive notification that your data was compromised, register with KP Law. We will provide updates on this case, and let you know if and when you can claim compensation for the privacy violation.   

What is a group action?

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions. .

How much will I have to pay to make a compensation claim with KP Law?

There are no costs to join our no-win, no-fee claim and if you lose, you won’t pay a penny. If your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you.  

What should I do if I am worried that my details were involved in this breach?

Victims of data breaches often become the target of cybercriminals and phishing attacks. Similar privacy violations have resulted in fraud, blackmail, and identity theft. As such, Arnold Clark customers are at high risk of being targeted by cybercriminalsAnyone who thinks they might be involved in the Arnold Clark data breach should take immediate steps to protect themselves. 

How did the Arnold Clark data hack happen?

Arnold Clark experienced a cyber security incident on 23rd December 2022. This is reported to have been carried out by the Play ransomware cartel. On 28 January 2023, Arnold Clark released a statement about the attack. In this, the company appears to admit that, while its IT systems are capable of being set up so that they are not vulnerable to external attacks, work to achieve this started after the hack. Did Arnold Clark unwittingly admit that poor data security made this hack possible?  

A failure to adopt standard security measures often makes such attacks possible. If Arnold Clark did not have adequate protections in place, it must be held responsible for any loss or distress experienced by its customers because of this breach.     

What data was breached?

The list of potentially compromised data includes customer:  

  • National Insurance numbers  
  • Dates of birth  
  • Phone numbers  
  • Emails  
  • Copies of passports  
  • Home addresses
  • Copies of bank statements.    

Why did Arnold Clark delay telling customers about the breach?

It is not yet clear why Arnold Clark did not notify its customers “without undue delay”, which it should have done. As far as our data protection solicitors can tell, there is no good reason for this delay. By not letting customers know about the risk immediately, Arnold Clark left them at a very high risk of further cyberattacks, fraud and identity theft.     

What has Arnold Clark said about the breach?

A statement from the car dealership says:  

On the evening of 23 December 2022, Arnold Clark Automobiles was a victim of a cyber attack. Our external security network consultants alerted us to unusual activity on our network, and we immediately took steps to minimize the impact of the attack by removing all external connections to our network to protect our customer data, third-party partners and our systems. 

“While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold. Due to the type of cyber attack that we have been subjected to, it is extremely difficult to accurately identify what has been stolen; however, our teams are working with our external advisors to understand the exact nature and extent of that data. 

“While this crime and theft of data has been targeted towards Arnold Clark, we recognise the impact this could have on our partners and customers. We take their safety and the safety of their data very seriously, therefore while further analysis is ongoing, we are taking the following steps now: 

  • We are setting up a dedicated call/help centre with our partners Experian to help those affected, or potentially affected, with more information. 
  • We are writing to all affected and potentially affected customers and will continue that communication as our investigation progresses. 
  • We will provide regular cyber security updates on our websites. 
  • We will offer our affected and potentially affected customers 24 months’ fraud/credit protection with Experian free of charge. 

During this incident we have been in constant communication with the regulatory authorities and have sought useful guidance from the police, and we will continue to do so to help other companies learn from our experience and be better prepared for possible situations such as this. 

As a result of this incident, we have taken the decision to rebuild our networks in a new segregated environment, which has meant that our operational systems are not yet fully functional, so we apologise for any inconvenience this may cause our customers. 

If you need to contact us about this incident, you can do so by contacting Arnold Clark Customer Services. 


In March 2024, our firm changed its name to KP Law. 

Share this article: