Car dealer Arnold Clark is writing to a number of customers to inform them their personal data was stolen in a cyber attack claimed by the increasingly prolific Play ransomware operation.
The 15GB data dump was posted to the dark web by an individual associated with the Play ransomware cartel, and is now understood to include names, contact details, dates of birth, vehicle details, ID documents including driver’s licences and passports, National Insurance numbers and bank account details.
Glasgow-based Arnold Clark, which is one of Europe’s largest family-run car sales networks, had previously said it believed it had been successful at protecting customer data, but it has now discovered this was not the case.
“While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold,” the organisation said in a statement.
“While this crime and theft of data has been targeted towards Arnold Clark, we recognise the impact this could have on our partners and customers. We take their safety and the safety of their data very seriously.”
Besides writing to all affected and potentially affected customers, Arnold Clark has also stood up a dedicated contact centre to assist customers, and will be offering two years’ worth of free fraud and credit protection services via Experian.
The attack on Arnold Clark took place before Christmas on the evening of 23 December, and forced staff to fall back on pen and paper to record customer transactions after they were locked out of their computers. Customers who had been due to collect new vehicles were also left unable to do so.
Arnold Clark added that as a result of the incident it is now rebuilding its networks in a new segregated environment. This may be taken as an indication that it has refused to negotiate or pay a ransom, although this is unconfirmed. For the time being, this means its operational systems are not yet fully functional, so customers may still experience some inconvenience.
The firm additionally confirmed it is in contact with regulatory authorities including the Information Commissioner’s Office. Given the apparent scale of the data breach that has unfolded, the incident carries the potential for large fines under the scope of the UK General Data Protection Regulation and the possibility of group legal actions from customers.
Phishing risk
The volume and type of data stolen will be of immense value to cyber criminals, and in the near-term future puts Arnold Clark’s customers at significantly elevated risk of falling victim not to the Play ransomware itself, but to follow-on phishing attacks by opportunists.
Those who may be affected should be aware of unusual or suspicious-looking emails from addresses they do not know and trust, and in particular should never open any unsolicited attachments or click on any links in them.
The UK’s National Cyber Security Centre has published thorough guidance on how to recognise and report phishing emails, which can be read here.