Arnold Clark data leak victims prepare legal action

Thousands of people whose personal data was exfiltrated and publicly leaked by the Play ransomware gang following a cyber attack on the systems of nationwide car dealer network Arnold Clark in 2022 are now coming forward to participate in what may become one of the largest group action law suits yet seen in the UK.

The incident began on 23 December 2022, and its initial impact saw Arnold Clark dealers forced to resort to pen and paper to record transactions, while hundreds of people who had been hoping to collect their new cars were left temporarily disappointed.

The Glasgow-based firm, which is one of the UK’s largest and longest-established family-owned car dealers, initially said that its customers’ data was safe.

However, on 22 January 2023, the Mail on Sunday revealed that this was not the case after a 15GB tranche of data was leaked on the dark web by Play.

This data included customer photo identification, passport data, banking data, dates of birth and home addresses, among other things.

Shortly afterwards, Arnold Clark acknowledged that it had been the victim of data exfiltration, and at the end of January 2023, the organisation began the process of sending notifications to its customers in staggered batches.

A few weeks later, in mid-February, a further 30GB of data was posted, followed by the full data dump, totaling almost 470GB, at the end of March.

The action is being spearheaded by Keller Postman, a law firm that specialises in helping cyber incident victims get redress – although other actions are in progress.

Connor Hewitt, who works in the cyber security sector, is among those to have joined Keller Postman’s group action as a client.

Hewitt bought a car from Arnold Clark a few years ago and as part of the sale provided extensive personally identifiable information (PII) to the car dealership to enable it to conduct due diligence and credit checks. He was informed that his data had been leaked in mid-February, a few weeks after the Mail on Sunday broke the story.

“I remember getting the notification – I was in the gym and I remember the email popping up,” said Hewitt. “It basically said we believe your data was included in a data breach.”

Hewitt was only mildly concerned at this stage, as the Mail’s story generated some discussion within a work-based group chat of which he is a member. The group shares breach information to help him and his colleagues have more informed conversations about cyber security with their customers.

“Obviously that article came out and the first thing that came into my head was, ‘I bought a car from them, I wonder if my information is part of that breach.’ And then…I got the email to say my information was part of that,” he said.

Hewitt says he has seen multiple fraud attempts being made against him since then. “It’s not been too bad because I can spot them quite easily based on the work I do – I do phishing training all the time with customers,” he said.

“There have been spikes in...the likes of Instagram, direct messages with links, spikes in Facebook friend requests – again, slightly dodgy ones. There have been 30, maybe pushing 40, credit checks done against me. I’ve had text messages off companies trying to say, ‘You’ve got parcels being delivered, please check this parcel”, and all that kind of stuff. Sometimes that happens when you have ordered something, as well.”

Many of these fraud attempts were extremely crude and easily spotted, but many have been quite sophisticated, and Hewitt said he was keenly aware that thousands of less technology-savvy people caught up in the incident have not been so lucky.

Indeed, Arnold Clark-linked frauds are now popping up all over the UK, said Keller Postman associate solicitor Bill Singer.

“Numerous clients have uncovered evidence of identity theft, for example, unauthorised credit checks, sometimes dozens a day. Other clients have actually reported fraud going through,” said Singer.

“Huge numbers of them are experiencing an elevated level of fraud attempts, a whole variety of phishing, social media messages, text messages. Lots have had cold calls as well – for example, bogus calls from their bank’s fraud department. They are seeing a wide variety of cyber criminal activity.”

Singer said it was not possible to put a figure on what the average loss per claimant might be, but in instances where frauds have been successful, they have ranged in value from Direct Debits for a few pounds being set up on victims’ bank accounts, to attempts to obtain high value items and services, many of which have been successful.

One claimant, somewhat ironically, found that their identity had been stolen when a letter arrived at their house from a Volkswagen dealer, congratulating them on the purchase of a £38,000 Golf, which was most assuredly not parked on their driveway.

“Whether the fraud is small or large it has the same consequences,” said Singer. “You still need to get your money back. You still need to spend extra time protecting yourself against future frauds. You might have an impacted credit score – I have clients who have been refused credit on new cars due to all of these identity theft attempts.”

Those affected are being urged to come forward to join more than 10,000 people who have already signed up as potential claimants. More details can be found on Keller Postman’s website.

Singer told Computer Weekly the case against Arnold Clark is still in the evidence-gathering phase prior to potential court proceedings, but the solicitors have alleged liability and put forward their claim to Arnold Clark. They are currently waiting on its response.

Keller Postman and its clients are also awaiting the outcome of the Information Commissioner's Office’s (ICO’s) investigation into whether or not Arnold Clark has breached any of its statutory obligations under the General Data Protection Regulation (GDPR).

“We will be keenly awaiting the outcome of the ICO investigation. We [also] know the ICO is investigating at least one complaint from Arnold Clark customers who have been dissatisfied with the [response to the] data breach,” said Singer.

“The ICO has very heavy fining powers [and] we would expect a broad fine if any breaches are upheld, but what they can’t do is award any compensation to individual customers who complain.”

For Hewitt, the ideal outcome would be for Arnold Clark to admit and accept liability over the breach, but also to fairly compensate those affected.

“Although I’m in a position where I can see the threats as they are…there will be people who will fall for phishing as people do. It can be scary for a lot of people who will see them and not really understand what’s happening,” he said.

Singer added: “The whole essence of the case is that Arnold Clark could and should have done more.”

Computer Weekly contacted Arnold Clark’s press office for comment on the ongoing investigation, but the organisation had not responded at the time of publication.