UK car dealer Arnold Clark notified customers on Tuesday that their data was compromised in a data breach that took place in December 2022.
First disclosed by the company on January 03 on Twitter, the breach led to the company bringing its systems offline, including dealerships and third-party connections.
"Our priority has been to protect our customers' data, our systems and our third-party partners," the company wrote at the time.
"While this has been achieved, this action has caused temporary disruption to our business and, unfortunately, our customers."
Fast forward to this week, Arnold Clark has now confirmed that specific customer details had been compromised in the breach.
According to an email seen by Infosecurity, affected data included names, contact details, dates of birth, vehicle details and ID documents (like passports and driver's licenses). Some National Insurance numbers and bank account details were also affected.
"This incident emphasizes just how important it is for retailers to protect customer data effectively," said Erfan Shadabi, a cybersecurity expert at comforte AG.
"These industries thrive on online transactions, which also require them to collect sensitive PII [personally identifiable information] that threat actors are always targeting," Shadabi told Infosecurity in an email.
According to the security expert, companies must understand the "nature" of the sensitive data they protect and find suitable methods to guard it rather than just the borders around it.
"Data-centric security like tokenization and format-preserving encryption isn't just for the gargantuan enterprises spanning the globe," Shadabi explained.
"Even a small- or medium-sized organization can suffer a large-scale attack on their data — to devastating consequences, unless [...] a smart, data-centric security strategy stands in the way."
In the email to customers this week, Arnold Clark also warned customers of potential phishing attacks as the company continues investigating the incident.
The attack against Arnold Clark is not the first one targeting the automotive industry in recent times.
In May 2022, General Motors revealed it was hit by a credential-stuffing attack. Months later, Holdcroft Motor Group was presented with a ransom demand after hackers stole two years' worth of data.