Car sales giant Arnold Clark is facing multi-million-pound group action claims from thousands of customers following a data breach, we can reveal.
The firm suffered a cyber attack just before Christmas and customers’ personal information has since been published on the dark web.
At the time, bosses insisted that information was safe but later conceded personal data had been compromised.
Now a number of legal firms have launched schemes to help victims.
Data protection laws state that people can claim compensation from any organisation that breaches those laws, including for any damage or distress caused.
Solicitors Thompsons told The Sunday Post it had been approached by more than 5,000 people who have received a letter from Arnold Clark advising them that their personal data had been compromised.
Patrick McGuire, a partner at the firm, said: “I think this is the tip of the iceberg. The most financially sensitive data has been posted on the dark web and certainly includes data that would allow criminals to steal people’s identities and open fraudulent bank accounts. Our clients are understandably very worried.”
Solicitors Jones Whyte, which has its headquarters in Glasgow, said it had also been contacted by more than 1,000 people who may have been affected and that this number was “continuing to rise by the day”.
Associate Dominic Ritchie, who heads up the data breach claim for the firm, said: “We are in the process of building a strong case and will be looking for significant compensation from Arnold Clark for our clients.”
Customers were emailed in late January about the UK-wide hack that happened on December 23. The company said it closed down its entire computer network on Christmas Eve.
The details held by the firm are believed to include copies of passports and drivers’ licences. Names, dates of birth, vehicle details, contact details and National Insurance numbers could also have been taken.
Arnold Clark, which has its headquarters in Glasgow, has almost 200 dealerships across Scotland and England. It has not said how many customers have been contacted. Those affected have been offered a two-year subscription to an identity-fraud-checking service.
The company said it had taken several steps to protect partners and customers following the cyber attack, including setting up a call centre with its credit reporting agency partners Experian.
“Upon advice from our cyber security team, we understand that some personal data has been extracted by the hackers who carried out the cyber attack,” the company told customers.
“We take the protection of your personal data extremely seriously, and we want to assure you we are doing everything we can to minimise any risk to you from this incident.”
Laura McGee, head of personal injury at legal firm NewLaw Scotland, said: “We have set up cases for each of our clients and claims have been intimated to Arnold Clark. They have, in turn, instructed their own solicitors to investigate the breach and the damage it has caused. It is hoped that Arnold Clark will adequately compensate those affected. However if matters cannot be resolved it is likely that group proceedings will be brought in court to seek justice for the distress, anxiety and financial losses suffered by the victims.”
McGee added: “Unfortunately, I anticipate there could be thousands of victims in Scotland.”
London-based Keller Postman, which has launched a “no win, no fee” scheme for claimants, said it had been contacted by more than 7,500 potential victims across the UK, including a number from Scotland. Bill Singer, an associate at the firm, said: “We have established that more than half a terabyte of Arnold Clark customer data has now been exposed on the dark web – as a car dealership, this means highly sensitive records such as addresses, contact information, payment information, drivers’ licences and passports are available online.
“Our clients are already reporting a range of fraudulent activity stemming from this breach, including current account banking fraud, cloned debit cards, blocked transactions, identity theft, repeated credit checks triggered by unknown fraudsters, phishing emails and scam instant messages.”
Companies caught up in data breaches can also be hit with large fines by the Information Commissioner’s Office (ICO). It fined British Airways a record £20 million after the personal data of more than 400,000 customers and staff was stolen in 2020.
The ICO said: “Arnold Clark made us aware of an incident and we are making inquiries.”
Police Scotland said inquiries into the data breach were ongoing.
Arnold Clark said: “As soon as we knew who had been affected or potentially affected, we notified them and advised them on how to protect themselves against fraudulent activity, including providing two years’ free Identity Plus from Experian.
“Since the incident occurred, we have also engaged on a regular basis with the police and ICO.”
‘Soon after we were told about the data breach, fraudsters used our details’
A couple who have been the victims of identity fraud believe they were targeted by crooks in the wake of the Arnold Clark data breach.
David and Suzanne McDermott, from Alloway, South Ayrshire, were shocked when they started receiving late payment reminders in February from communications company O2, claiming they hadn’t paid bills totalling more than £2,000 for items such as an iPad, an iPhone and associated mobile phone contracts.
The letters came shortly after the couple had received emails from Arnold Clark informing them that their personal details may have been compromised in the data breach that happened just before Christmas.
“We have never had an account with 02, so we couldn’t understand what this was all about,” said McDermott, a 51-year-old dad of three.
“Then we started getting demands from debt collectors, but we knew nothing about these alleged debts and associated defaults. It has been a nightmare.”
The McDermotts subsequently discovered their credit ratings had been significantly downgraded as a result and their credit card spending limits slashed – in one case, from £10,000 to just £300.
“We couldn’t understand how this could have happened, then we remembered the emails from Arnold Clark that we received around the same time as this all started, informing us that our details were at risk, including bank information,” he added.
“Both my wife and I had vehicles with Arnold Clark previously and we believe that it is no coincidence that, soon after we were told about this data breach, our details were being used by fraudsters.”
McDermott, an aerospace engineer, said that, because of the impact on his credit rating, he was forced to pay a higher interest rate to buy a new car and worried that this could also affect work he undertakes for the Ministry of Defence.
The couple reported the incidents to O2, who opened a fraud case, and they also contacted Police Scotland. “The police were sympathetic but said nothing could be done because we hadn’t had any money physically stolen from us at that stage,” David said.
When The Sunday Post contacted 02, the company moved swiftly to cancel the bogus accounts and said it would have the McDermotts’ credit records amended.
O2 said: “They will no longer receive letters requesting any payments.”
Police Scotland confirmed it had been contacted by the couple but declined to comment on any possible connection with the Arnold Clark data breach.
It said: “On March 5, 2023, we received a report relating to identity fraud. Suitable advice was given.”
Enjoy the convenience of having The Sunday Post delivered as a digital ePaper straight to your smartphone, tablet or computer.
Subscribe for only £5.49 a month and enjoy all the benefits of the printed paper as a digital replica.Subscribe