Arnold Clark Data Breach Compensation

Cybercriminals hacked the personal details of Arnold Clark customers.

KP Law can help victims to claim compensation.

Have you been affected by the Arnold Clark data breach?

Customers of Arnold Clark may have had their personal information exposed following a data hack. The breach happened after hackers broke into the car dealer’s systems. The cybercriminals then demanded a multi-million-pound ransom and threatened to upload customer information to the dark web if they were not paid.  

Tens of thousands of people are thought to be at risk.  The Play ransomware cartel has claimed responsibility for the cyberattack.  

According to various media reports, the stolen data includes:  

Bank account and sort code details may also have also been stolen.   

The cybercriminals released an initial 15 gigabytes of sensitive data on 17 January 2023. A further 30 gigabytes of data was posted on the dark web on 14 February 2023, and on 31 March 2023, another 475 gigabytes of data was discovered on the dark web.


KP Law has launched an investigation and group action to find out what happened and how this breach affects Arnold Clark customers. We believe that failures to adopt standard security measures may have made this attack easier.  

Our data breach group action will help affected customers in England & Wales claim compensation for the security failures. We currently represent in excess of 7,500 customers and are helping them to seek information and redress.  

If you are an Arnold Clark customer, register below to join our action and receive updates on our investigation. 

If you have received an email confirming your involvement in the Arnold Clark data breach, you must save a copy. Some of our clients have reported receiving such notifications, only for their emails to later disappear.

Some organisations use self-destructing emails to automatically delete communications, either after a certain amount of time or when they request it. We do not condone this practice, especially in data breach cases where notification is widely used to prove an individual’s involvement in a breach and is thus vital evidence when making a claim. While we cannot be sure if Arnold Clark has set its emails to self-destruct, we have seen this happen in other cases. As such, we advise anyone who receives a data breach notification to keep a copy just in case.

Join our no-win, no-fee Arnold Clark compensation claim

Why claim data breach compensation?

Hold organisations to account for failing to protect your private information.

Receive financial compensation for your loss.

Force organisations to implement better data security.

Victims of the Arnold Clark data breach could be at risk

If your details were put at risk, Arnold Clark should write to you to let you know. But the attack is thought to have been carried out on 23rd December 2022, and this didn’t start to happen until late January 2023. By not letting customers know immediately, Arnold Clark left them at a very high risk of further cyberattacks, fraud and identity theft.   

If you are an Arnold Clark customer you should take immediate steps to protect yourself 

Victims of data breaches often become the target of cybercriminals and similar privacy violations have resulted in fraud, blackmail, and identity theft. As such, Arnold Clark customers are at high risk of being targeted by cybercriminals and should take immediate steps to protect themselves.   

Our data protection experts have provided some guidance on how to do this.  

KP Law has launched an investigation to find out what happened and how this breach affects Arnold Clark customers. We may be able to claim compensation for any distress or financial losses experienced because of this breach.  We urge anyone affected to register with us. 


Talk to our expert data breach lawyers today on 0151 459 5850 

Arnold Clark data breach timeline

  • 23 December 2022
    Hackers carry out a cyber-attack against Arnold Clark
  • 27 December 2022
    Arnold Clark confirmed that “suspicious network traffic was detected” on Twitter
  • 3 January 2023
    Arnold Clark releases a statement confirming the breach
  • 19 January 2023
    ReformedIT stated that it had discovered Arnold Clark customers’ personal data on the dark web
  • 26 January 2023
    We launched an investigation into this data breach to help victims claim compensation for the privacy violation
  • 28 January 2023
    Arnold Clark released a statement about the attack. This statement appeared to admit to inadequate data security processes.
  • 14 February 2023
    Another 30GB of customer data was uploaded to the dark web.
  • 31 March 2023
    Another 475 gigabytes of data was discovered on the dark web.

Latest News

Your questions answered

FAQs about the Arnold Clark data breach

Arnold Clark experienced a cyber security incident on 23rd December 2022. It was issued with a multimillion-pound ransom demand from the Play ransomware cartel. A 15GB tranche of stolen customer data was allegedly shared on the dark web, with another, much larger upload threatened if the cryptocurrency ransom was not paid.  

The cybercriminals then carried out their threat and released another 30 gigabytes of data on the dark web.

The list of potentially compromised data includes customer: 

  • National Insurance numbers 
  • Dates of birth 
  • Phone numbers 
  • Emails 
  • Copies of passports 
  • Home addresses. 
  • Bank account and sort code details. 

On 3 January 2023, 11 days after the cyberattack, Arnold Clark said: 

“Late on the evening of 23rd December, the Group was notified by our external cyber security consultants of suspicious traffic on our network. Once we confirmed this internally with our own Cyber team, we made the decision to bring down our network voluntarily as a purely protective measure, which has resulted in us cutting connectivity to the internet, our dealerships and our third-party connections. 

 “Our priority has been to protect our customers’ data, our systems and our third-party partners. While this has been acheived, this action has caused temporary disruption to our business and unfortunately our customers. 

“Our external security partners have now been performing an extensive review of our whole IT network and infrastructure, which is a mammoth task, and they are providing guidance to our IT team on the re-enabling of our network and systems in a safe, secure and phased manner. 

 “Our showrooms and branches are open and will be able to assist our customers using our temporary systems until we have been able to restore our full systems safely. We expect to resume customer vehicle collections later this week and our branches are contacting customers to arrange this. 

 “Once again, we would like to thank our customers for their understanding and to apologise for any inconvenience this has caused.” 

On 28 January 2023, Arnold Clark released a further statement about the attack. In this, the company appeared to admit that, while its IT systems were capable of being set up so that they were not vulnerable to external attacks (a segregated environment), work to achieve this had only just begun.

The volume of data at risk leads us to believe that any customer of Arnold Clark in the last ten years has a high probability of their information being accessed.

Arnold Clark is writing to all affected and potentially affected customers and will continue that communication as its investigation progresses. 


Anyone who thinks they might be involved should take immediate steps to protect themselves.  Find out how to do this here. 

If you live in England or Wales and you are involved in this breach, you may be able to join our no-win, no-fee compensation claim. There are no costs to register and no obligation to proceed. 

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions.

There are no costs to join a claim. However, if your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you. At KP Law, our success fee is competitive, and we make sure you are fully informed about any potential costs before you officially join our action. If you lose, you won’t have to pay a penny.


More information about making a group action claim



Find out more about making a group action claim for compensation.



What does no-win, no-fee actually mean and are there really no costs if you appoint us?

Why use KP Law to make a claim?

We are one of the most experienced multi-claimant law firms in the UK.

Our GDPR, data breach and cybercrime specialists have a combined experience of over 50 years.

We represent clients in group actions with innovation, resources, and expertise.

We work with expert barristers to ensure you get the very best level of legal support available.

We have all the resources and global expertise necessary to take on complicated cases and win.

We have offices in London, Liverpool, Manchester, and Birmingham, and the technology to provide a nationwide service to clients across England & Wales.

We use technology to deliver a better legal experience to our clients.

We work on a no-win, no-fee basis.

We make the process straightforward and hassle-free.

What can you claim for?

While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:

Financial loss

With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.


GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.

Loss of privacy

Your data has value, and organisations must be held to account if they fail to protect your right to data privacy or otherwise do not uphold your GDPR rights.

How to protect yourself following a data breach or cybercrime

  • Contact your bank or credit card provider immediately if your financial data has been exposed.
  • Check all bills and emails for goods or services you have not ordered.
  • Check your bank account for unfamiliar transactions.
  • Alert your bank or credit card provider immediately if there is any suspicious activity.
  • Monitor your credit score for any unexpected dips.
  • Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name.
  • Never provide your PIN or full password to anyone (even someone claiming to be from your bank).
  • Never been pressured into moving money to another account for fraud reasons. A legitimate bank won’t ask you to do this.
  • Follow the security instructions provided by the organisation that breached your data.
  • Never automatically click on any suspicious links or downloads in emails or texts.
  • Don’t assume an email or phone call is authentic just because someone has your details.
  • Be careful who you trust – criminals often use scare tactics to try and trick you into revealing your security details.
  • Know that, even if you recognise a name or number, it might not be genuine.
  • Don’t be rushed or pressured into making a decision. A trustworthy organisation would never force you to make a financial transaction on the spot.
  • Never provide your full password, pin or security code to someone over the phone (or via message). If a bank believes a transaction has been fraudulent, they will not ask for this information to cancel the transaction.
  • Listen to your instincts and ask questions if something feels “off”.
  • Refuse requests for personal or financial information and stop discussions if you are at all unsure.
  • Contact your bank or financial service provider on a number you know and trust to check if a communication is genuine.
  • Be cautious of unsolicited communications that refer you to a web page asking for personal data.
  • Don’t accept friend requests from people you don’t know on social media.
  • Review your online privacy settings.
  • Report suspected fraud attempts to the police and Action Fraud.
  • Register with the Cifas protective registration service to slow down credit applications made in your name.
  • Change your passwords regularly and use a different password for every account (a password manager can help with this).
  • Protect your devices with up-to-date internet security software.