On the evening of 23 December 2022, the Arnold Clark Group was the victim of a cyber attack. Since the incident, we have worked very hard to understand both how the incident occurred and its effects.
In responding to this incident, we have worked closely from the outset with the relevant regulators and have liaised with the police. We can confirm that we were recently informed by the ICO – the UK data protection regulator – that they do not intend to take any formal regulatory action and consider the matter to be closed.
We have also now completed our complex and wide-ranging investigations into the incident, which included working alongside third-party expert consultants to carry out forensic analysis. From our investigations, we have concluded that we had appropriate technical and organisational security measures in place at the time of the incident, in accordance with our legal obligations. These measures were designed to ensure the prompt identification and containment of malicious activity within our systems, and resulted in the incident being swiftly detected and brought to an end. Since the incident, we have also taken further appropriate steps to seek to prevent future incidents of this nature.
We proactively contacted customers to notify them of the incident, and to offer them guidance and protection in conjunction with our partners, Experian.
We have always taken and will continue to take, the security of our customer data extremely seriously.
We thank you for your patience and cooperation during this period, and we look forward to continuing to serve our customers.