Hackers threatening to upload Arnold Clark customer information to dark web 


Hackers have targeted Arnold Clark and are demanding that the car dealer group pay a multi-million-pound ransom. If they are not paid, the cybercriminals have said they will upload customer information to the dark web. Tens of thousands of people are thought to be at risk if the hackers go through with their threat. And, even if they don’t, many are worried about what else might be done with their compromised personal information.  

It doesn’t appear to be an empty promise from the hackers, with reports that they have already released 15 gigabytes of sensitive data. Another, much larger upload has been threatened if they do not get the demanded cryptocurrency ransom.  

The data that has been accessed includes National Insurance numbers, dates of birth, phone numbers, emails, copies of passports and home addresses. One national newspaper claims that copies of bank statements have also been stolen.  

At KP Law, we have seen cases where such sensitive data is sold on the dark web and used to carry out identity theft, fraud, and phishing scams. As such, the consequences of the Arnold Clark data breach could be devastating.  

The attack is thought to have been carried out on 23rd December 2022. A spokesperson for the company said that it was investigating the incident and would contact affected customers once it had a better understanding of what had happened. But, by not letting customers know now, Arnold Clark is leaving them at a very high risk of further cyberattacks, fraud and identity theft.  

For example, as well as the threat of someone being able to access your finances, phishing fraudsters regularly use stolen contact details to trick people into giving them more personal information (e.g. usernames, passwords, credit card details, etc.) and steal from them.  

Phishing often happens following a data breach. Criminals use the data exposed in breaches to trick people into believing they are genuine. If you are the victim of a data privacy violation, it is quite likely that different criminals could use your data against you. Stolen data is also used in batches over time, so the impact of a data breach might not be immediately apparent. 

Find out how to protect yourself after a data breach.  

While Arnold Clark is a victim of a criminal hack, in most cases, poor data security allows these violations to happen.

If you are an Arnold Clark customer, register below to receive updates on our investigation. If we uncover that poor security processes led to customer information being compromised, we will launch a data breach group action to help affected customers in England & Wales claim compensation for the security failures. 

In March 2024, our firm changed its name to KP Law. 

Share this article: