Ransomware Gang Stole Customer Data, Arnold Clark ConfirmsExtortionists Dump Private and Corporate Customer Data From European Car Giant
It was a bleak Christmas in Britain for a number of organizations that got hit with ransomware. Unfortunately for some of them, the picture has been getting worse.
Automobile retailer Arnold Clark, in an update to customers, now reports that ransomware-wielding attackers who hit it over the holidays didn't just crypto-lock systems; they also stole data.
When attackers first infiltrated Arnold Clark's network has yet to be publicly disclosed. But on the evening of Friday, Dec. 23, "our external security network consultants alerted us to unusual activity on our network, and we immediately took steps to minimize the impact of the attack by removing all external connections to our network to protect our customer data, third-party partners and our systems," it says.
At Glasgow-based Arnold Clarke, which is one of the largest car dealer groups in Europe - employing 11,000 people and selling over 300,000 cars annually - investigators probing the breach initially found no evidence that attackers had exfiltrated data. On Jan. 3, the company said, "Our external security partners are now conducting an extensive audit of our entire IT network and infrastructure, which is a mammoth task," and that it would reactivate each part only after it had been confirmed to be safe.
The picture has since changed. "While we were initially advised that all our data was secure, unfortunately, in the course of our investigation, it has become clear that during this incident, the attackers were able to steal copies of some data that we hold," the company reports in an updated breach notification issued Saturday.
The company directly contacted "our affected and potentially affected customers" of its nearly 200 dealerships across Scotland and England with the updated breach alert on Tuesday. Besides selling cars and vans, the company also services and rents vehicles and parts.
"It is worth noting that Arnold Clark's external network consultants detected the attack due to unusual network behavior on Arnold Clark's network," says Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting. "This is heartening to see, and Arnold Clark should be commended for having these capabilities in place."
But the company says it doesn't yet know the full extent of data that might have been stolen. "It is extremely difficult to accurately identify what has been stolen; however, our teams are working with our external advisors to understand the exact nature and extent of that data."
"It is unfortunate that Arnold Clark cannot determine what data has been exfiltrated but this could be due to several reasons, such as the data was exfiltrated using valid stolen credentials so the behavior may have appeared normal, or the logging on the systems the data was exfiltrated from was not comprehensive enough," says Honan, who also founded Ireland's first computer security incident response team, IRISS-CERT, and regularly assists organizations with responding to incidents.
Arnold Clark may have first learned data was stolen because attackers leaked it. The company didn't immediately respond to a request for comment.
On Jan. 11, the Play - aka PlayCrypt - ransomware group added Arnold Clark to its list of data breach victims. The group is one of a number of criminal syndicates that publicize some victims who don't quickly pay a ransom, as well as practice double extortion, which means they threaten to leak stolen data, whether or not they actually stole any.
The intent is psychological: The criminals hope to exert pressure on the victim to pay, and if the victim does not, to show future victims the repercussions of failing to pay.
In its Jan. 11 victim listing for the car dealership giant, Play leaked what it said was 15 gigabytes of stolen data, adding in choppy English: "if there not reaction full dump will be uploaded."
On Jan. 17, Play leaked a 467-gigabyte archive that it says contains "private and personal data, passports, IDs, confidential contracts, agreements, leasing contracts, finance information and many others" stolen from Arnold Clark.
In terms of private and personal data, according to press reports, the leak included both private and corporate customers' names, email addresses, birthdates, phone numbers and other information. Because the information was publicly leaked, it could be used by any criminal to try and socially engineer or extort victims.
Arnold Clark didn't immediately comment about whether it paid any ransom, but it appears to have not done so, since it's still listed on Play's site.
The company has apologized to customers and business partners for the attack. It also has promised to share additional lessons learned from the attack to help others and says it is taking steps to lock down its infrastructure.
"As a result of this incident, we have taken the decision to rebuild our networks in a new segregated environment, which has meant that our operational systems are not yet fully functional, so we apologize for any inconvenience this may cause our customers," it says.
The company says it will provide all affected or potentially affected customers with 24 months of credit monitoring services via Experian and says the credit monitoring company is setting up a dedicated call center with more information.
"It is good to see Arnold Clark take a lessons learnt approach to this incident by implementing measures such as network segmentation to improve their security," Honan says. "I often say: Do not let a cyber breach go to waste. Use it to learn lessons … from someone else's misfortune so that you can improve your own security."