About 15,000 drivers can pursue Arnold Clark data breach claim

About 15,000 drivers have been given the go ahead to pursue a compensation claim against Arnold Clark after a dark web data breach.

The car dealership company suffered a cyber attack in 2022 which resulted in customer data appearing online.

Arnold Clark, which has its headquarters in Glasgow, had argued that any legal action should be stopped because a similar case is already being pursued in England.

But the Court of Session - Scotland's highest civil court - has ruled that because the vehicles were sold in Scotland, thousands of customers could proceed with their claim.

In the latest set of group proceedings to be heard at the Court of Session, Lord Sandison heard evidence that many customers did not believe the firm did enough to protect their personal information.

Arnold Clark's lawyer, Roddy Dunlop KC, asked that permission not be granted for the customers to proceed. He suggested it would be more appropriate for Scottish drivers to join in the English action at the High Court in London.

In a written judgement published by the court on Thursday, Lord Sandison rejected the arguments made to him by Arnold Clark's legal team.

The judge concluded that more than 95% of the group members live in Scotland and were in a contractual relationship with a company registered in Scotland and governed by Scots law.

He said the situation has no connection whatsoever with England.

Data protection laws say people can claim compensation from any organisation that breaches Scots law, including for any damage or distress caused.

Legal firm Thompsons previously told The Sunday Post newspaper it had been approached by more than 5,000 people who have received a letter from Arnold Clark advising them that their personal data had been compromised.

Partner Patrick McGuire told the newspaper: "I think this is the tip of the iceberg.

"The most financially sensitive data has been posted on the dark web and certainly includes data that would allow criminals to steal people's identities and open fraudulent bank accounts.

"Our clients are understandably very worried."

Solicitors Jones Whyte, which has its headquarters in Glasgow, said it had also been contacted by more than 1,000 people who may have been affected and that this number was "continuing to rise by the day".

Customers were emailed in January 2023 about the UK-wide hack that happened on 23 December.

The company said it closed down its entire computer network on Christmas Eve.

The details held by the firm were believed to include copies of passports and drivers' licences.

Names, dates of birth, vehicle details, contact details and National Insurance numbers could also have been taken.

The company said it had taken several steps to protect partners and customers following the cyber attack.

"Upon advice from our cyber security team, we understand that some personal data has been extracted by the hackers who carried out the cyber attack," the company told customers at the time.

"We take the protection of your personal data extremely seriously, and we want to assure you we are doing everything we can to minimise any risk to you from this incident."

In the latest case, a man called Robert Adamson applied to the Court of Session to raise the action for himself and the other drivers.

Lord Sandison wrote that Arnold Clark had appealed his finding allowing permission to proceed and he had written a judgement to explain his decision.

Previous group proceedings heard at the Court of Session have involved former players of Celtic Boys Club and Kenyan tea pickers who worked in the African country for James Finlay, a company founded in Scotland in 1750.