Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

Thousands launch multi-million-pound action over Arnold Clark data breach

© Andrew CawleyIdentity fraud victims Suzanne and David McDermott in Alloway last week
Identity fraud victims Suzanne and David McDermott in Alloway last week

Car sales giant Arnold Clark is facing multi-million-pound group action claims from thousands of customers following a data breach, we can reveal.

The firm suffered a cyber attack just before Christmas and customers’ personal information has since been published on the dark web.

At the time, bosses insisted that information was safe but later conceded personal data had been compromised.

Now a number of legal firms have launched schemes to help victims.

Data protection laws state that people can claim compensation from any organisation that breaches those laws, including for any damage or distress caused.

Solicitors Thompsons told The Sunday Post it had been approached by more than 5,000 people who have received a letter from Arnold Clark advising them that their personal data had been compromised.

Patrick McGuire, a partner at the firm, said: “I think this is the tip of the iceberg. The most financially sensitive data has been posted on the dark web and certainly includes data that would allow criminals to steal people’s identities and open fraudulent bank accounts. Our clients are understandably very worried.”

Solicitors Jones Whyte, which has its headquarters in Glasgow, said it had also been contacted by more than 1,000 people who may have been affected and that this number was “continuing to rise by the day”.

Associate Dominic Ritchie, who heads up the data breach claim for the firm, said: “We are in the process of building a strong case and will be looking for significant compensation from Arnold Clark for our clients.”

Customers were emailed in late January about the UK-wide hack that happened on December 23. The company said it closed down its entire computer network on Christmas Eve.

The details held by the firm are believed to include copies of passports and drivers’ licences. Names, dates of birth, vehicle details, contact details and National Insurance numbers could also have been taken.

Arnold Clark, which has its ­headquarters in Glasgow, has almost 200 dealerships across Scotland and England. It has not said how many customers have been contacted. Those affected have been offered a two-year subscription to an ­identity-fraud-checking service.

The company said it had taken several steps to protect partners and customers following the cyber attack, including setting up a call centre with its credit reporting agency partners Experian.

“Upon advice from our cyber security team, we understand that some personal data has been extracted by the hackers who carried out the cyber attack,” the company told customers.

“We take the protection of your personal data extremely seriously, and we want to assure you we are doing everything we can to minimise any risk to you from this incident.”

Laura McGee, head of ­personal injury at legal firm NewLaw Scotland, said: “We have set up cases for each of our clients and claims have been intimated to Arnold Clark. They have, in turn, instructed their own solicitors to investigate the breach and the damage it has caused. It is hoped that Arnold Clark will adequately compensate those affected. However if matters cannot be resolved it is likely that group proceedings will be brought in court to seek justice for the distress, anxiety and financial losses suffered by the victims.”

McGee added: “Unfortunately, I anticipate there could be thousands of victims in Scotland.”

London-based Keller Postman, which has launched a “no win, no fee” scheme for claimants, said it had been contacted by more than 7,500 potential victims across the UK, including a number from Scotland. Bill Singer, an associate at the firm, said: “We have established that more than half a terabyte of Arnold Clark customer data has now been exposed on the dark web – as a car dealership, this means highly sensitive records such as addresses, contact information, payment information, drivers’ licences and passports are available online.

“Our clients are already ­reporting a range of fraudulent activity stemming from this breach, including current account banking fraud, cloned debit cards, blocked transactions, identity theft, repeated credit checks triggered by unknown fraudsters, phishing emails and scam instant messages.”

Companies caught up in data breaches can also be hit with large fines by the Information Commissioner’s Office (ICO). It fined British Airways a record £20 million after the personal data of more than 400,000 customers and staff was stolen in 2020.

The ICO said: “Arnold Clark made us aware of an incident and we are making inquiries.”

Police Scotland said inquiries into the data breach were ongoing.

Arnold Clark said: “As soon as we knew who had been affected or potentially affected, we notified them and advised them on how to protect themselves against fraudulent activity, including providing two years’ free Identity Plus from Experian.

“Since the incident occurred, we have also engaged on a regular basis with the police and ICO.”

‘Soon after we were told about the data breach, fraudsters used our details’

David and Suzanne McDermott © Andrew Cawley
David and Suzanne McDermott

A couple who have been the victims of identity fraud believe they were targeted by crooks in the wake of the Arnold Clark data breach.

David and Suzanne McDermott, from Alloway, South Ayrshire, were shocked when they started receiving late payment reminders in February from communications company O2, claiming they hadn’t paid bills totalling more than £2,000 for items such as an iPad, an iPhone and associated mobile phone contracts.

The letters came shortly after the couple had received emails from Arnold Clark informing them that their personal details may have been compromised in the data breach that happened just before Christmas.

“We have never had an account with 02, so we couldn’t understand what this was all about,” said McDermott, a 51-year-old dad of three.

“Then we started getting demands from debt collectors, but we knew nothing about these alleged debts and associated defaults. It has been a nightmare.”

The McDermotts subsequently discovered their credit ratings had been significantly downgraded as a result and their credit card spending limits slashed – in one case, from £10,000 to just £300.

“We couldn’t understand how this could have happened, then we remembered the emails from Arnold Clark that we received around the same time as this all started, informing us that our details were at risk, including bank information,” he added.

“Both my wife and I had vehicles with Arnold Clark previously and we believe that it is no coincidence that, soon after we were told about this data breach, our details were being used by fraudsters.”

McDermott, an aerospace engineer, said that, because of the impact on his credit rating, he was forced to pay a higher interest rate to buy a new car and worried that this could also affect work he undertakes for the Ministry of Defence.

The couple reported the incidents to O2, who opened a fraud case, and they also contacted Police Scotland. “The police were sympathetic but said nothing could be done because we hadn’t had any money physically stolen from us at that stage,” David said.

When The Sunday Post contacted 02, the company moved swiftly to cancel the bogus accounts and said it would have the McDermotts’ credit records amended.

O2 said: “They will no longer receive letters requesting any payments.”

Police Scotland confirmed it had been contacted by the couple but declined to comment on any possible connection with the Arnold Clark data breach.

It said: “On March 5, 2023, we received a report relating to identity fraud. Suitable advice was given.”