adimas - Fotolia

Arnold Clark customer data was stolen in Play ransomware attack

Arnold Clark confirms data leaked on dark web was stolen from its systems in ransomware attack

Car dealer Arnold Clark is writing to a number of customers to inform them their personal data was stolen in a cyber attack claimed by the increasingly prolific Play ransomware operation.

The 15GB data dump was posted to the dark web by an individual associated with the Play ransomware cartel, and is now understood to include names, contact details, dates of birth, vehicle details, ID documents including licences and passports, National Insurance numbers and bank account details.

Glasgow-based Arnold Clark, which is one of Europe’s largest family-run car sales networks, had previously said it believed it had been successful at protecting customer data, but it has now discovered this was not the case.

“While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold,” the organisation said in a statement.

“While this crime and theft of data has been targeted towards Arnold Clark, we recognise the impact this could have on our partners and customers. We take their safety and the safety of their data very seriously.”

Besides writing to all affected and potentially affected customers, Arnold Clark has also stood up a dedicated contact centre to assist customers, and will be offering two years’ worth of free fraud and credit protection services via Experian.

The attack on Arnold Clark took place before Christmas on the evening of 23 December, and forced staff to fall back on pen and paper to record customer transactions after they were locked out of their computers. Customers who had been due to collect new vehicles were also left unable to do so.

Read more about ransomware in 2023

  • Guardian Media Group bosses confirm the 20 December cyber attack that left staff locked out of its London office and disrupted several key systems was an untargeted ransomware attack.
  • The still-developing cyber incident at Royal Mail may be the work of the infamous LockBit ransomware operation.
  • A ransomware attack on Yum! Brands, the parent organisation of restaurants including KFC and Pizza Hut, was forced to shut approximately 300 outlets in the UK following a ransomware attack by an unspecified group.

Arnold Clark added that as a result of the incident it is now rebuilding its networks in a new segregated environment. This may be taken as an indication that it has refused to negotiate or pay a ransom, although this is unconfirmed. For the time being, this means its operational systems are not yet fully functional, so customers may still experience some inconvenience.

The firm additionally confirmed it is in contact with regulatory authorities including the Information Commissioner’s Office. Given the apparent scale of the data breach that has unfolded, the incident carries the potential for large fines under the scope of the UK General Data Protection Regulation and the possibility of group legal actions from customers.

Phishing risk

The volume and type of data stolen will be of immense value to cyber criminals, and in the near-term future puts Arnold Clark’s customers at significantly elevated risk of falling victim not to the Play ransomware itself, but to follow-on phishing attacks by opportunists.

Those who may be affected should be aware of unusual or suspicious-looking emails from addresses they do not know and trust, and in particular should never open any unsolicited attachments or click on any links in them.

The UK’s National Cyber Security Centre has published thorough guidance on how to recognise and report phishing emails, which can be read here.

Read more on Data breach incident management and recovery