A data breach at Sandicliffe Motor Group could affect “thousands” of staff and customers of the AM100 car retailer, according to a legal firm.
Bank account details and medical histories may be included in the information taken in the cyber-attack, which was initially reported to the Information Commissioner’s Office (ICO), back in February, after an employee opened a link in an unsolicited email.
No further action is being taken by the ICO but data breach specialists CEL Solicitors is now discussing breaches with a number of people affected by the hacking – among them both current and past employees, as well as customers.
The firm is warning staff and customers to remain vigilant and notify their bank immediately if they think they could have had data stolen.
Mark Montaldo, a director at CEL Solicitors, said: “In the case of Sandicliffe, it is concerning that there appears to have been a significant delay in notifying those who may have had their data breached, but it is essential that you notify your bank as soon as possible if you think you’ve been affected.
“With a total of 10 showrooms, this incident is likely to have affected hundreds, maybe even thousands of people – it’s therefore extremely important for the company, its staff and those customers who have been affected, to remain on alert for any unusual activity with their bank or with other personal information.”
CEL said that the amount of data taken will vary for each individual, dependent upon their role in the company and how much of their information was held on record.
In a statement issued to the Nottingham Post, Sandicliffe managing director Paul Woodhouse, said: “We can confirm Sandicliffe experienced a cybersecurity breach as a result of a sophisticated attack by a third party.
“As soon as we became aware, we took immediate steps to contain and remedy the breach and security was quickly re-established.
"Sandicliffe take data and IT security extremely seriously and this breach did not affect our ability to operate.
"We have also complied with our legal requirements and have notified relevant affected individuals.
"As the relevant regulator, the ICO, were notified and, after assessment, have confirmed that they will not be taking further action."