Cyber Incident Victim: Pendragon Group
Date:
Oct 2022
Location:
United Kingdom
Summary
The Pendragon Group, a UK-based automotive retailer, experienced a LockBit ransomware attack where hackers demanded $60 million. The company refused to pay or negotiate, promptly reported the incident to law enforcement and data protection authorities, and confirmed no operational impact. Investigations revealed that attackers exfiltrated 5% of the database, with stolen files provided as proof of breach, but the firm maintained normal customer services throughout the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2022, the LockBit ransomware gang breached Pendragon Group, a UK-based automotive retailer operating over 200 dealerships under brands including CarStore, Evans Halshaw, and Stratstone. The attackers compromised systems storing customer and operational data across Pendragon's network, which supports sales of luxury brands such as Jaguar, Porsche, Ferrari, and mainstream manufacturers like Ford, Hyundai, and Renault. Approximately one month after the initial intrusion, LockBit demanded $60 million in exchange for decrypting files and withholding stolen data from public release. Pendragon's IT security team detected the breach promptly and initiated containment procedures, limiting the attackers' access to company systems. Chief Marketing Officer Kim Costello confirmed the gang provided evidence of stolen files to substantiate their claims during communications. The company maintained full operational capacity throughout the incident, with customer services and dealership functions continuing without disruption.
Pendragon's leadership refused to engage in ransom negotiations or payment, citing a firm policy against funding criminal enterprises. Following internal forensic analysis, the company determined that LockBit exfiltrated approximately 5% of its total database, though specific data categories or records affected were not disclosed. Pendragon reported the incident to UK law enforcement agencies and the Information Commissioner's Office (ICO), the nation's data protection authority, in compliance with regulatory obligations. No evidence emerged suggesting customer transactions, financial systems, or vehicle inventory management platforms were functionally impaired. The organization did not publicly disclose remediation costs, potential data exposure liabilities, or whether third-party cybersecurity firms assisted in the investigation. LockBit did not follow through on threats to leak Pendragon's data at the time of reporting, with no subsequent disclosures verified through the gang's usual leak channels.