Lawyers assisting victims of the recent Arnold Clark cyber hack believe that an additional 30GB of personal data has been leaked on the dark web.
Car Dealer reported earlier this year that 15GB of data belonging to the dealer group’s customers had been posted online by a gang of criminal hackers.
Keller Postman – a top firm of London lawyers – has since launched a ‘no-win, no-fee’ scheme to help victims of the recent breach claim compensation.
Speaking exclusively to Car Dealer, the law firm revealed it now believes as much as 45GB of personal data has been leaked on to the dark web.
Lawyer Bill Singer, an associate with Keller Postman, said the amount was still a tiny percentage of the total data, which is alleged to have been seized from Arnold Clark by hackers’ collective Play.
‘This is certainly something that bears mentioning,’ he said.
‘There has been a huge amount of interest in the media – and rightfully so – about the first post of 15GB and how it includes extensive personal data like passports and National Insurance numbers, but there has since been a second post of 30GB of data to the dark web which has not attracted as much coverage.’
When the breach initially took place on December 23, Arnold Clark claimed that there was ‘no evidence of customer information being compromised’.
However, the dealer group later said that names, dates of birth, vehicle information, contact details and National Insurance numbers had been stolen by hackers.
Since then, the most profitable car dealer group in the UK has been informing customers who have been affected.
However, rather than doing this all at once, it has contacted customers at different stages, making it difficult for Keller Postman to know exactly how many people have been affected.
Singer said an ‘educated guess’ placed the number of victims in the tens of thousands or even above 100,000, and predicted that it would take months for everyone who wants to make a claim to be notified by the company and come forward.
From there, it could take some time for a resolution to be found, although an out-of-court settlement could be reached before the case has to be heard by a judge.
Dealer groups: ‘Soft target’
The attack on Arnold Clark is the latest in a long line of cyber attacks involving major dealer groups in recent years.
Last year, Pendragon was subject to a similar attack by hackers demanding payment of $60m.
In February, Robin Luscombe told the Car Dealer Podcast that dealers were ‘defenceless’ against ‘an industry of fraudsters and scammers’.
However, Singer believes that the industry could be doing more to protect its customers’ data and questioned whether businesses were ‘soft targets’ for illegal groups.
‘This is the latest in a long line of attacks on car dealership groups and they are not doing it because it is unprofitable to them,’ he told Car Dealer.
He added: ‘Dealerships are being subject to successful cyber attacks where huge amounts of data gets stolen year after year. It’s usually phishing attacks into ransomware, leading to loss of data and bribes being demanded, like in the case of Arnold Clark.
‘This is the fifth attack on a car dealership group in the past three years and despite that it would appear to be business as usual for some companies.’
Since the attack, Arnold Clark has publicly announced that it is rebuilding its systems in a safe manner and it says it takes its duty to protect customer data seriously.
Car Dealer has contacted Arnold Clark for comment.