Car dealership Arnold Clark may have to compensate over 15,000 Scottish drivers

British car dealership Arnold Clark is facing a significant data breach-related compensation claim after Scotland’s apex court gave over 15,000 drivers the permission to pursue the company for monetary redressal.

 

The Court of Session in Glasgow has ruled that about 15,000 drivers in Scotland, whose personal information was compromised during a data security incident affecting Arnold Clark in late 2022, have the right to sue the automobile dealership for monetary compensation.

 

The court did not accept the dealership’s plea to prevent Scottish drivers from suing for compensation. The company argued that a similar action was ongoing in the High Court in London and all affected drivers in Scotland could join the English petition instead of initiating a parallel claim. 

 

The Court ruled that considering 95% of members of the group demanding compensation from Arnold Clark were based in Scotland, they had a contractual relationship with the company and the latter is liable to compensate them for infringements or violations under Scottish law.

 

The litigation arose due to a major ransomware attack on Arnold Clark in December 2022 that compromised customers’ names, contact details, dates of birth, vehicle details, ID documents (such as passports and driver’s licenses), National Insurance numbers (in limited cases) and bank account details. 

 

The Play ransomware gang soon claimed responsibility for the cyber attack on Arnold Clark and uploaded a 15 GB sample of customer data on the dark web to back its claim. The hacker group also threatened to release the remaining 467 GB of customer data it stole from the company if the multi-million-pound ransom wasn’t paid. It is not clear yet if the company has already paid a ransom or whether it is negotiating with the threat actors.

Despite the significant loss of customer data, Arnold Clark stressed that its cyber security controls were adequate at the time of the incident. 

 

"From our investigations, we have concluded that we had appropriate technical and organisational security measures in place at the time of the incident, in accordance with our legal obligations," the company said in a press release. 

"These measures were designed to ensure the prompt identification and containment of malicious activity within our systems, and resulted in the incident being swiftly detected and brought to an end. Since the incident, we have also taken further appropriate steps to seek to prevent future incidents of this nature."

 

The UK’s Information Commissioner’s Office said it investigated the data security incident affecting Arnold Clark and decided that there was no need for a formal regulatory action. 

 

The data protection watchdog refused to make the details of its investigation public, citing section 31 of the Freedom of Information Act which prohibits disclosure of certain records considering their impact on national security and on the ability of public authorities in exercising their duties.