Scottish Court Allows 15,000 Claims Against Arnold Clark Over Data Breach

A judge provided legal permission, 15000 motorists may now file a claim against motor vehicle dealer Arnold Clarke. This move follows after a cyberattack at its company’s headquarters in December 2022, in which hackers stole users’ details and published them online via the dark web.

The hearing took place in the Court of Session, which is Scotland’s highest civil court, with Lord Sandison presiding over it. Many customers argued that the car dealership did not take sufficient steps to protect their private information. The judge ultimately sided with the drivers.

Arnold Clark tried to stop the legal action. The company’s lawyer, Roddy Dunlop KC, asked the court to block the Scottish case. He suggested that affected drivers should instead join a similar lawsuit already moving through the High Court in London. Lord Sandison rejected this argument completely.

Judge Rules Scottish Case has No Connection to England

In a written judgement published on Thursday, Lord Sandison explained his decision clearly, he noted that more than ninety-five percent of the group members live in Scotland. These customers entered into a contract with a company registered in Scotland. Scottish law governs that contractual relationship.

The judge stated that the situation has no connection whatsoever with England. He concluded that the loss and damage happened in Scotland because the customers live there. Therefore, the Scottish court stands as the most appropriate place to handle the dispute.

Data protection laws give people the right to claim compensation from any organization that breaks those rules. Customers can seek damages for both financial harm and emotional distress caused by the breach.

Stolen Data Includes Passports and Driving Licenses

In late January 2023 Arnold Clarke notified its customers about a hack. The company revealed that the attack took place on 23rd December 2022, so the company closed its entire computer systems on Christmas Eve as a precautionary measure.

The stolen data includes copies of passports and drivers’ licenses, in addition to names, birth dates, details about the vehicles, addresses, and national insurance numbers of customers. This combination of data creates serious risks for identity theft.

Legal firm Thompsons previously told The Sunday Post that more than 5,000 people had approached them for help. These individuals received letters from Arnold Clark warning them that their personal data had been compromised.

According to Patrick McGuire of Thompsons (a partner), the dark web contains very sensitive personal financial information that could allow criminals to steal a person’s identity and create fraudulent bank accounts. He commented that this incident is just a small part of a much larger problem.

The dark web’s criminal ecosystem extends beyond identity theft, a Scottish care worker was recently found to have shared child abuse fantasies on the dark web, demonstrating that the hidden corners of the internet are used for a disturbing range of illegal activities, from financial fraud to the distribution of harmful content involving vulnerable individuals.

Another law company located in Glasgow, Jones Whyte, has taken calls from over 1000 people who may be potential victims of this data breach. This number continues to increase daily.

The Information Commissioner’s Office (ICO) has already warned organizations of the serious consequences of failing to provide secure storage of customer data. Under UK data protection laws companies face high levels of fines and compensation claims for failing to meet their security obligations.

Arnold Clark Offered Credit Monitoring but Faces Growing Legal Pressure

Following the cyber-attack, Arnold Clark took several steps to protect affected customers. The company set up a dedicated call centre in partnership with credit reporting agency Experian. They also offered affected individuals a two-year subscription to an identity fraud checking service.

In a message sent out to its customers around this time, the firm confirmed that cybercriminals had stolen parts of their customers’ personal information. The company also stated that they treat the security of their data with the utmost seriousness and have implemented measures to reduce any risk to its customers.

A man named Robert Adamson brought the current action to the Court of Session. He applied to raise the case for himself and the other affected motorists. Lord Sandison noted that Arnold Clark had appealed his decision allowing the case to proceed. The judge wrote a full judgement explaining his reasoning.

Past group proceedings at the same court involved ex-players of the Celtic Boys Club and pickers from Kenyan tea who worked for James Finlay, a company founded in Scotland in 1750. The Arnold Clark case now joins this list of major collective actions heard in Scotland’s highest court.