Compromiseseverity: High2022-12-23
Arnold Clark customer data stolen in Play ransomware attack
published by Computer Weekly
Actor
Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…
Summary
UK car retailer Arnold Clark was hit on 23 December 2022 by a double-extortion attack later claimed by the Play group, which asserted it had exfiltrated 467 GB of data. The stolen records included names, contact details, ID documents, and in some cases National Insurance numbers and bank account data; staff reverted to pen and paper while systems were rebuilt.
Tags
ukdata-extortionretail
Primary source
computerweekly.comOther Play events
- 2025-06-04CISA documents Play ESXi variant and per-victim recompilation
- 2023-12-18Joint CISA/FBI/ASD advisory AA23-352A on Play ransomware
- 2023-02-08City of Oakland ransomware attack claimed by Play
- 2023-01-23A10 Networks breached by Play ransomware affiliates
- 2022-12-02Rackspace Hosted Exchange outage caused by Play ransomware