Cyber Incident Victim: Sandicliffe

The Sandicliffe car dealership cyber incident occurred in February 2020 when an employee at one of the company's five Nottinghamshire showrooms opened a malicious link contained within an unsolicited email. This action enabled unauthorized actors to access the dealership's systems and exfiltrate sensitive personal data belonging to customers and potentially other individuals. The compromised information included bank account details and medical histories, representing highly sensitive categories of personal data. While the exact number of affected individuals remains unspecified in public disclosures, initial assessments indicated "possibly thousands" of people could have had their information stolen. The breach persisted undetected for approximately nine months before public disclosure occurred on November 7, 2020, through media reports. No technical details regarding the attack vector beyond the phishing email or specific system compromises were disclosed by the company or investigators.

Sandicliffe publicly confirmed the breach through media statements following the November 2020 disclosure timeline, though the exact date of internal discovery remains unclear from available sources. The dealership initiated notifications to potentially affected individuals regarding the exposure of their financial and medical information. No information was released regarding containment measures, forensic investigations, or whether law enforcement identified the threat actors. The incident highlighted data protection risks associated with non-medical entities retaining sensitive health information, as medical histories formed part of the compromised dataset alongside financial records. Public reporting did not specify whether regulatory investigations or penalties resulted from the breach, nor were details provided about remediation efforts offered to victims beyond initial disclosure notifications.