Motor Trader The award-winning and longest running UK magazine for car retailing professionals. Your first stop for News, Jobs and Reports for the motor industry.
Data protection is an important issue for all dealers and rising fast up the agenda for management. In the UK dealer groups, including Pendragon and Arnold Clark, have been targeted. In January software company Mad Devs warned that 2023 could see record levels of cybercrime.
It advised dealers to be on alert and work closely with their suppliers to ensure that security measures are in place and followed. The Cyber Security Breaches Survey 2022, published by the Department for Digital, Culture, Media and Sport (now renamed) showed that in 12 months, 39% of UK businesses identified a cyber attack, a figure consistent with previous years of the survey.
Of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%). Around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.
The survey found that when it comes to security, size does matter. For large businesses’ cyber security, 80% update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training. Just over half of businesses (54%) have acted in the past 12 months to identify cyber security risks, including a range of actions, where security monitoring tools (35%) were the most common.
Incident management policy is limited with only 19% of businesses having a formal incident response plan, while 39% have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84% of businesses saying they would inform the board, while 73% would assess the attack.
Outside of working with external cyber security providers, organisations most keenly engage with insurers, where 43% of businesses have an insurance policy that cover cyber risks. On the other hand, only 6% of businesses have the Cyber Essential certification. This is a Government-backed and industry-supported scheme that helps businesses protect themselves against the growing threat of cyber attacks and provides a clear statement of the basic controls organisations should have in place to protect themselves. Just 1% have Cyber Essentials plus, which is largely due to relatively low awareness.
The issue of cyber security will be a key area of debate at the Motor Retailing EXPO 2023 taking place at Silverstone this month. Sarah Armstrong-Smith, the chief security advisor at Microsoft, will deliver a keynote address. Armstong-Smith is at the forefront of leading businesses through digital attacks and teaching organisations how to protect their data.
Specialising in disaster recovery, she works in digital transformation and offers advice on cyber security strategies, ensuring stronger defences against attackers. At Silverstone she will supply market-leading guidance on common security threats and prepare businesses for any future attacks.
Motor Trader plans a key session on the topic with input from dealers who can share their experience and best practice so the sector as a whole can benefit. Cyber-crime is the common enemy of all dealers, regardless of size.
The issue of cyber crime and car dealers is one of growing concern but of course by the nature of the events, the majority go unreported. Two that did make the headlines were Pendragon and Arnold Clark.
Pendragon was the subject of a cyberattack by a group known as LockBit 3.0, which was reported to be demanding a £54m ransom. When the attack went public Pendragon released a statement, saying it had identified “suspicious activity” on part of its IT systems and confirmed it had experienced an IT security incident. It said the incident had not affected its ability to operate, and it continued to service its customers and communities as normal. Upon discovery, it took immediate steps to contain the incident.
Pendragon of course owns software business Pinewood and Pendragon emphasised that this company was completely unaffected.”
Bill Berman, CEO of Pendragon subsequently told Motor Trader in June that the company’s systems had prevailed. Berman pointed out that Pendragon and Pinewood (its software business) have their own separate security systems. The two entities also had separate cyber insurance in place.
The attackers got in through an old computer, one of about 100 from 10,000 switching to cloud base. “One of the security protocols we had in place found the intruder and we were able to lock it down. And they were not able to garner anything of value,” he said.
In April Motor Trader reported that Arnold Clark could face compensation claims from thousands of customers whose data was allegedly breached in late 2022. One London legal firm claims to be representing 7,500 customers who are seeking redress for the data breach. Keller Postman UK said it launched an investigation and group action to find out what happened and how this breach affected Arnold Clark customers.
“Our data breach group action will help affected customers in England & Wales claim compensation for the security failures. We currently represent in excess of 7,500 customers and are helping them to seek information and redress.”
The Sunday Post reported that Scottish solicitors Thompsons and Jones Whyte had been approached by customers over the data breach. Arnold Clark said at the time it was working hard to deal with the situation with all parties. In a statement released to Motor Trader it said:
“While this crime and theft of data has been inflicted on Arnold Clark, along with many other organisations this year, we recognise the impact this can have on our partners and customers. We take their safety and the safety of their data very seriously, and while undergoing investigations, we took several proactive steps to ensure the best possible protection for them.
It said it had acted immediately to offer help to its customers.
“As soon as we knew who had been affected or potentially affected, we notified them and advised them on how to protect themselves against fraudulent activity, including providing two years’ free Identity Plus from Experian.
And it was in regular contact with police and the Information Commissioner’s Office
“Since the incident occurred, we have also engaged on a regular basis with the police and ICO.
“We would like to thank our customers and partners for their patience during this process. As a business, we take all forms of security very seriously and this attack on our systems was unprecedented.”
Arnold Clark also said it was willing to work with other companies to share its learnings from the experience.
“In light of our experience in managing this incident, and subsequent attacks on other organisations, we would like to work with other companies to help them understand current cyber threats and the steps we have taken, to help them be as prepared as possible for similar situation.”