Arnold Clark hackers share another 30GB of stolen customer data on the dark web  


In December 2022, cybercriminals hacked Arnold Clark and demanded that the car dealer group pay a multi-million-pound ransom in return for not uploading customer information to the dark web. To demonstrate they were serious, the hackers initially uploaded 15 gigabytes of sensitive data. And it appears the cybercriminals have now upped the ante and carried out their threat as another 30 gigabytes of data has been found on the dark web.

The latest files were uploaded last night (14/02/2023). It is likely that this recent data is designed to put more pressure on Arnold Clark to pay up. 

Tens of thousands of people are now at risk as their compromised personal information is readily available online.  

According to Arnold Clark: “Unsigned copies of finance agreements” from 2019 and earlier are believed to have been stolen in the hack. These documents are likely to include customer names, addresses, vehicle registration numbers, and bank account and sort code details. At KP Law, we have seen cases where such sensitive data is purchased on the dark web and used to carry out identity theft, fraud, and phishing scams. As such, the consequences of the Arnold Clark data breach could devastate customers.   

On 28 January 2023, Arnold Clark released a statement about the attack. In this, the company appears to admit that, while its IT systems are capable of being set up so that they are not vulnerable to external attacks (such as when systems are built within a segregated environment), work to achieve this is only happening now. Has Arnold Clark unwittingly admitted that poor data security made this hack possible? And if the system had been built correctly in the first place, would customer data have been protected?  

Can you make an Arnold Clark data breach compensation claim?

Anyone who has purchased, sold, rented a vehicle, or had any servicing or repairs carried out by Arnold Clark within the last ten years could be affected by the hack. Arnold Clark is now notifying those affected, but any customer of Arnold Clark should be on guard against fraud and take immediate steps to protect themselves. Find out how to do this here.  

If you receive notification that you are affected by the Arnold Clark data breach, register below to receive updates on our investigation. If we uncover that poor security processes led to personal information being compromised, we will launch a data breach group action to help affected customers in England & Wales claim compensation for the security failures. 

In March 2024, our firm changed its name to KP Law. 

Share this article: