Drivers have been handed a major lifeline after a ruling approved a compensation claim in Scotland against car dealer Arnold Clark following a large cyber-attack and data breach.
The cyber-attack occurred in December 2022, leading to the theft of customer information, which later appeared on the dark web. Customers were told in early 2023 their personal data may have been accessed after the company discovered the breach.
Arnold Clark said at the time it had been forced to shut down its entire computer network on Christmas Eve after identifying the attack. It was later confirmed hackers had extracted customer data, with roughly 15,000 drivers impacted.
The information taken included copies of passports and driving licences, as well as names, dates of birth, addresses, vehicle details, contact information and National Insurance numbers.
Lawyers for affected customers said the breach has caused serious concern about identity theft and financial fraud. One legal firm said the stolen data included material that could allow criminals to open fraudulent bank accounts.
The legal case was brought as a group action by drivers in Scotland, who are now seeking compensation for distress and potential losses caused by the breach.
This week, a judge at the Court of Session, Scotland's highest civil court, ruled the Scottish case can proceed, in a welcome move for the impacted drivers.
But Arnold Clark tried to stop the Scottish proceedings, arguing the case should not be heard in Scotland because similar legal action is already underway in England.
The court ruling has now meant drivers can successfully claim compensation for the data breach
| GETTYIts lawyers said all claims should be handled in one place, the High Court in England, to avoid duplication, extra cost, and the risk of inconsistent judgments.
However, the judge rejected that argument. In his ruling, Lord Sandison said there was no meaningful link between the dispute and England, adding it had "no connection whatsoever with England".
He also found the vast majority of claimants were based in Scotland and had contracts with a company registered in Scotland, governed by Scottish law.
The court said the key question was which forum was most appropriate to hear the case. The judge said the correct approach was to identify the place with "the most real and substantial connection" to the dispute.
LATEST DEVELOPMENTS
The attack saw personal data stolen from customers, including driving licence information
| PAOn that basis, he concluded Scotland was the correct forum. Arnold Clark argued the English court was already dealing with a similar case involving cyberattack victims and Scottish claimants should join that process.
The company said it would be more efficient for all claimants to proceed together in England. It also argued running two separate group actions would lead to duplicated work, higher legal costs and the possibility of conflicting outcomes.
Its legal team told the court Scottish drivers could simply join the English case, which was already underway.
But the court said the argument was not strong enough to override Scotland's connection to the case.
Roughly 15,000 drivers were impacted by the cyberattack
| PEXELSHe also said the existence of English proceedings did not automatically make England the correct forum for the
The court will later consider the substance of the case, including whether Arnold Clark failed to protect customer data and whether compensation should be awarded.
Arnold Clark told GB News: "Arnold Clark acknowledges the decision of the court.
"As a company, we deny any liability and will continue to vigorously defend the action. As this matter is subject to ongoing legal proceedings, we will not be making any further comment at this time.
"We take the protection of our customers' and partners' personal information extremely seriously.
"At the time of the event, Arnold Clark took immediate and decisive action, including shutting down our IT systems, notifying the relevant authorities and engaging leading specialists to investigate and contain the incident. We also contacted customers directly and provided guidance on protecting customer data.
"In partnership with Experian, we also offered complimentary access to specialist services."
Our Standards: The GB News Editorial Charter