Arnold Clark customer data 'stolen in cyber attack'

  • Published
Arnold Clark, Hillington RoadImage source, Google
Image caption,
The company's headquarters is located on Hillington Road in Glasgow

Some Arnold Clark customers have been told their personal information may have been stolen in a cyber attack.

The car retailer, which sells more than 300,000 cars per year, said data that may have been stolen included bank details and ID documents.

Customers were emailed on Tuesday about the UK-wide hack which happened on 23 December.

The firm said they shut down their entire computer network in the early hours of Christmas Eve.

The ID documents retained by the firm are normally copies of passports and driver's licences.

Names, dates of birth, vehicle details, contact details and National Insurance numbers could also have been targeted.

Arnold Clark, which has its headquarters in Glasgow, has almost 200 dealerships across Scotland and England.

It has not said how many customers have been contacted.

Those affected have been offered a two-year subscription to an identity fraud checking service because the hack puts them at a higher risk of being victims of the crime.

A letter to customers from chief executive Eddie Hawthorne and chief operating office Russell Borrie said investigations were continuing.

"Upon advice from our cyber security team, we understand that some personal data has been extracted by the hackers who carried out the cyber attack," it said.

"We take the protection of your personal data extremely seriously, and we want to assure you that we are doing everything we can to minimise any risk to you from this incident."

'Outrageous'

Arnold Clark has begun rebuilding its computer infrastructure to create a "segregated environment", which prevents hackers who successfully breach one part of the network from being able to access other parts of the company's systems.

Paul Graham, a customer from Clydebank, told BBC Scotland he was angry that he was not told about the data breach for more than a month.

"I just find it outrageous," he said. "No one mentioned when I went into the dealership last week."

He complained that there was no way to speak directly to Arnold Clark about the cyber attack, and that the dedicated helpline set up for affected customers was being managed by credit protection company Experian.

Mr Graham added: "I think it is absolutely dreadful, especially when you think 'what have they got?' It could be enough to take over my whole identity - it's frightening."

Other customers have contacted the company via social media, complaining of a potential General Data Protection Regulation (GDPR) breach.

Under GDPR legislation, which allows a maximum fine of £17.5m, companies "must inform affected individuals without undue delay".

A statement from Arnold Clark said: "While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold."

It added: "During this incident we have been in constant communication with the regulatory authorities and have sought useful guidance from the police, and we will continue to do so to help other companies learn from our experience and be better prepared for possible situations such as this."

The company was set up by the late Sir Arnold Clark, who opened his first showroom in Glasgow's Park Road in 1954.

He was knighted in 2004 and confirmed as Britain's first billionaire car dealer in the Sunday Times Rich List in 2016, before his death in 2017.

The company now has 193 dealerships and is thought to be Europe's largest independent family-run car company.