Sensitive personal data allegedly stolen from Arnold Clark, one of the United Kingdom’s largest car dealerships, has been posted online by the PLAY ransomware group.
The company had claimed in a Tweet on January 3 to have protected customer data after it discovered suspicious traffic on its network back in December, although it did not confirm the nature of the attack.
“Our priority has been to protect our customers’ data, our systems and our third-party partners,” the company stated, adding that “this has been achieved.”
A statement from the Arnold Clark Group. pic.twitter.com/jxeVcpKS62— Arnold Clark (@ArnoldClark) January 3, 2023
Its statement has not been updated following the publication last week of what appear to be customer details on the PLAY ransomware group’s extortion site.
Arnold Clark’s press office did not immediately respond to The Record’s request for comment.
The data includes National Insurance numbers (the equivalent of Social Security numbers in the U.S.) and passport data, alongside addresses and phone numbers. Also published were bank statements and car finance documents for customers of the Glasgow-based business.
Data belonging to private and corporate customers is believed to be included in the leak.
Arnold Clark, which employs more than 11,000 people across 193 dealerships in Britain, stated the attack had “caused temporary disruption to our business and unfortunately our customers” and apologized for any inconvenience it caused.
The full impact of the incident on the company’s operations is not clear.
“Our external security partners have now been performing an extensive review of our whole IT network and infrastructure, which is a mammoth task, and they are providing guidance to our IT team on the re-enabling of our network and systems in a safe, secure and phased manner,” the statement from January 3 said.
As of Monday morning, Arnold Clark’s newsroom, which typically features a new post including car reviews every few days, has not been updated for more than a month. The most recent post was made on December 20, before the incident was discovered.