Ransomware attack at Arnold Clark leads to customer data leak

Arnold Clark is sending emails to affected customers

It is long known now that large-scale ransomware attacks against companies are no longer about encrypting databases or spreadsheets and holding them hostage – it is all about the information that can be stolen. Arnold Clark, one of the largest car retailers in Europe, is now facing a cyberattack that leaked data of numerous of its customers and disrupted its operations on a rather large scale.

While initially, it was claimed that no customer data was affected, it now became clear that it was indeed leaked during the attack, which is now known to be performed by the Play ransomware gang. In the emails sent to the affected clients, the company informed that the leaked data included banking details and various personal identification data.

Arnold Clark is a Glasgow-based car dealer that first opened in 1954. It operates more than 200 car dealerships all across the United Kingdom and sells more than 300,000 cars a year.^[1]

First claimed to be a temporary disruption

Initially, the company issued a statement on January 3, 2023,^[2] claiming that the December 23 attack was noticed after third-party security consultants notified them about suspicious activity on the network. As a response to this intrusion, Arnold Clark shut down its network as a precautionary measure, which “has resulted in us cutting connectivity to the internet, our dealerships and our third-party connections.”

At this point, the company claimed that customers' data, the systems, and the third-party partners were at the time secured. During the investigation, it became clear that the scope of the attack was larger than it was thought and that customer information was indeed compromised:^[3]

While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold.

Customers' personally identifiable information, which later could be used for malicious purposes, includes the following:

• Names
• Contact details
• Dates of birth
• Vehicle details
• IDs (passports and driver's licenses)
• National Insurance numbers
• Bank account details (limited).

Last week, it came to light that the Play ransomware gang demanded millions in ransom in exchange for keeping the stolen data confidential – it threatened to release the information if the demands were not fulfilled. Approximately 15 GB of personal data was stolen from the compromised network, and 467 GB of other data during the attack. It is yet not clear whether the ransom will be paid by the company.

Customers are angry

In a letter sent to the customers and signed by chief executive Eddie Hawthorne and chief operating officer Russell Borrie, it was said that the investigation is continuing over a month after the incident.

In the meantime, the company is now building a “segregated environment” in its IT systems, which includes rebuilding its entire network from scratch. This development can prevent some services from Arnold Clark from being functional until all of them are set up properly.

The car retailer said that the “safety and data safety of their customers is taken very seriously,” so a few measures were implemented to help the affected clients. This includes setting up special call centers for those who need assistance, along with providing more details on the official website. Arnold Clark also promised 24 months of fraud and credit protection plan by Experian free of charge.

The affected people are not happy, however. The first emails with information about the breach of their data were sent on Tuesday, January 31, which is more than a month after the attack occurred. Others were complaining that it was impossible to contact Arnold Clark directly, and all the complaints were managed by Experian instead.

While some customers noted that, according to the GDPR laws, heavy fines could be brought up against companies that fail to inform their clients within a reasonable timeframe, the spokesperson at Arnold Clark said:

While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold. During this incident we have been in constant communication with the regulatory authorities and have sought useful guidance from the police, and we will continue to do so to help other companies learn from our experience and be better prepared for possible situations such as this.