Arnold Clark has told some customers that hackers may have gained access to their bank details and ID documents.
In a note to customers, chief executive Eddie Hawthorne updated customers about the hack that took place on December 23.
The most profitable car dealer in the UK – according to the Car Dealer Top 100 – told customers that their names, dates of birth, vehicle information, contact details and National Insurance numbers may also have been compromised.
The car dealer group reported that it first thought customer data was safe, but it has since transpired this was not the case.
Reports last week suggested the hackers were demanding millions in ransom after threatening to release the data on to the dark web.
Some 15GB of personal data had already been released and the hacking group Play said it had access to 467GB more. It is not known how many customers are affected.
Arnold Clark said: ‘While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold.
‘Due to the type of cyber attack that we have been subjected to, it is extremely difficult to accurately identify what has been stolen. However, our teams are working with our external advisers to understand the exact nature and extent of that data.’
Arnold Clark’s attack took place just before Christmas and the dealer group shut down its systems soon after that. It was reported these remained off-line for weeks, with staff forced back to pen and paper.
At the time, the dealer group said there was ‘no evidence customer information had been compromised’.
The problems with its systems continue and Arnold Clark says it has now been forced to build a ‘segregated environment’ to ring-fence its data.
The firm has decided to rebuild its entire networks within this new environment and this will take time to come on stream.
‘This has meant that our operational systems are not yet fully functional, so we apologise for any inconvenience this may cause our customers,’ added Arnold Clark.
‘When our external security network consultants alerted us to unusual activity on our network, we immediately took steps to minimise the impact of the attack by removing all external connections to our network to protect our customer data, third-party partners and our systems.’
The dealer group told customers it takes their ‘safety and the safety of their data very seriously’ and said it would be taking a number of steps as ‘analysis continues’.
These include setting up a dedicated call centre to help those affected and providing regular updates on its website.
The dealer group added: ‘We will also offer our affected and potentially affected customers 24 months’ fraud/credit protection with Experian free of charge.’
Some customers have complained at the length of time it took Arnold Clark to fully admit the extent of the breach.
One customer told the BBC he found it ‘outrageous’ no one informed him when he visited a dealership.
Paul Graham said: ‘I think it is absolutely dreadful, especially when you think what have they got? It could be enough to take over my whole identity – it’s frightening.’
The BBC added that under GDPR law a fine of up to £17.5m could be levied and that firms are told they must ‘inform affected individuals without undue delay’.
Arnold Clark made £398.1m EBITDA profit in 2021 and was the most profitable car dealer in our list by some margin. The next best-placed dealer group, Sytner, was some £152m adrift in second place.
Car Dealer Live – the future of the car dealer – exclusive conference features talks from leading car dealers, Google and Auto Trader among much more. Find out the full event details and book tickets.