Has Arnold Clark just admitted to poor data security processes?  

how to protect after cybercrime

Last week, news broke that hackers had successfully compromised Arnold Clark. According to media reports, the cybercriminals stole customer data from the car dealership and released 15 gigabytes of this onto the dark web. There were also threats of a much larger upload if Arnold Clark did not pay a multi-million-pound ransom. One national newspaper claimed that copies of bank statements were included in the stolen data.   

On 28 January 2023, Arnold Clark released a statement about the attack. In this, the company appears to admit that, while its IT systems are capable of being set up so that they are not vulnerable to external attacks (a segregated environment), work to achieve this is only happening now. Has Arnold Clark unwittingly admitted that poor data security made this hack possible? And if the system had been built correctly in the first place, would customer data have been protected? There are certainly questions that need answering.  

Furthermore, by offering affected and potentially affected customers 24 months’ fraud/credit protection, the statement also implies that Arnold Clark accepts that the breach has put these individuals at a greater risk of cybercrime.  

Such acknowledgements by Arnold Clark will likely support any data breach compensation claims.  

KP Law has launched an investigation to find out what happened and how this breach affects Arnold Clark customers. We believe that failures to adopt standard security measures may have made this attack easier. We also want to find out why Arnold Clark did not notify its customers “without undue delay”, which it should have done. As far as our data protection solicitors can tell, there is no good reason for this delay. And by not letting customers know about the risk immediately, Arnold Clark left them at a very high risk of further cyberattacks, fraud and identity theft.    

What does the Arnold Clark data breach statement say

The statement from the car dealership says:  

“On the evening of 23 December 2022, Arnold Clark Automobiles was a victim of a cyber attack. Our external security network consultants alerted us to unusual activity on our network, and we immediately took steps to minimize the impact of the attack by removing all external connections to our network to protect our customer data, third-party partners and our systems. 

“While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold. Due to the type of cyber attack that we have been subjected to, it is extremely difficult to accurately identify what has been stolen; however, our teams are working with our external advisors to understand the exact nature and extent of that data. 

“While this crime and theft of data has been targeted towards Arnold Clark, we recognise the impact this could have on our partners and customers. We take their safety and the safety of their data very seriously, therefore while further analysis is ongoing, we are taking the following steps now: 

  • We are setting up a dedicated call/help centre with our partners Experian to help those affected, or potentially affected, with more information. 
  • We are writing to all affected and potentially affected customers and will continue that communication as our investigation progresses. 
  • We will provide regular cyber security updates on our websites. 
  • We will offer our affected and potentially affected customers 24 months’ fraud/credit protection with Experian free of charge. 

During this incident we have been in constant communication with the regulatory authorities and have sought useful guidance from the police, and we will continue to do so to help other companies learn from our experience and be better prepared for possible situations such as this. 

As a result of this incident, we have taken the decision to rebuild our networks in a new segregated environment, which has meant that our operational systems are not yet fully functional, so we apologise for any inconvenience this may cause our customers. 

If you need to contact us about this incident, you can do so by contacting Arnold Clark Customer Services. “

Can you make an Arnold Clark data breach compensation claim?

The sheer volume of data involved leads us to believe that anyone who has been a customer of Arnold Clark in the last ten years could be affected by the hack. Arnold Clark is now notifying those affected, but any customer of Arnold Clark should be on guard against fraud and take immediate steps to protect themselves.  Find out how to do this here.  

If you receive notification that you are affected by the Arnold Clark data breach, register below to receive updates on our investigation. If we uncover that poor security processes led to personal information being compromised, we will launch a data breach group action to help affected customers in England & Wales claim compensation for the security failures. 

In March 2024, our firm changed its name to KP Law. 

Share this article: