Kingsley Hayes discusses the Arnold Clark cyberattack in UK Tech News


Share this article:


Head of Data and Privacy Litigation, Kingsley Hayes, discusses the Arnold Clark cyberattack that occurred in December 2022 in UK Tech News.

Kingsley’s article was published in UK Tech News, 13 March 2023, and can be found here.

Car dealership group Arnold Clark was hit by a cyber-attack on 23 December 2022, resulting in significant digital data loss.

The company initially posted about the incident on Twitter, but only to confirm temporary disruption to its IT systems, leading to the decision to take them offline. Media reports and social media posts of dissatisfied customers speak of the severe impact on the business running well into the new year.

The hack – and details about the data breach – was first publicly confirmed by an Arnold Clark spokesperson in comments made to AM/Automotive Online published on 3 January. Further details were provided in a security update on the company’s website on 28 January 2023 and on the same date notifications to affected customers commenced.

The Play ransomware gang has claimed responsibility for the attack. Play became increasingly active in the second half of 2022, and is notorious for using data theft and ransomware to attack businesses worldwide. The rise of Play has coincided with an increase in the use of ransomware worldwide.

According to the Mail on Sunday, Play ransomed the stolen data to Arnold Clark, and threated to publish more data if the company failed to pay the hackers a multi-million cryptocurrency bribe demand. Play then issued a statement on the Arnold Clark data breach, confirming that it had obtained 467GB of data during the attack, of which it had already posted 15GB to the dark web. An additional 30 gigabytes of the stolen data has since been found online.

The data seen by journalists so far includes private personal information from Arnold Clark’s customer base such as names, addresses, dates of birth, passports, national insurance numbers and financial information.

Since disconnecting its systems from the internet, Arnold Clark announced that an extensive review of its IT network was being carried out. Part of this involves rebuilding its systems within a segregated environment. However, data security experts are questioning why this was not done before a breach took place.

The total number of customers whose personal data was stolen in the Arnold Clark attack is yet to be confirmed by the company. However, based on what we know so far, this is a large-scale data loss, and the full impact of the attack is as yet unknown. Arnold Clark has hired credit referencing agency Experian as part of its data breach strategy, and will provide credit-monitoring services to affected customers. However, customers have been warned that the breach makes them move vulnerable to cyber-criminals.

The Arnold Clark attack serves as a reminder that UK businesses holding extensive customer databases will continue to be targeted by ransomware gangs, and that organisations must take proactive steps to protect their digital data.

In February 2024, our firm changed its name from Keller Postman UK to KP Law.

Share this article: