A rare window was given this week into the inner workings of perhaps one of Scotland’s most well-known organisations as it recovered from a devastating cyberattack.

Arnold Clark, the ubiquitous car retailer, fell victim to the Russia-linked Play ransomware gang on December 23, 2022, crippling its computer systems just before the Christmas break.

Eddie Hawthorne, CEO of the company, which has 12,000 staff and over 200 branches across the UK, gave an insider account of what it was like to lead an organisation which overnight had been thrown into chaos.

Hawthorne, who is due to retire in March after 27 years leading the company, said: “My CIO phoned me at about half-past six, and said, ‘Boss, I think we’ve got a wee bit of a problem here. I think there’s some unusual activity happening on our network.”

It started incrementally, with the deletion or attempted deletion of files on the Arnold Clark network, and looking back Hawthorne said it was a good thing that they had noticed it early, given that normally staff – including himself – would have been preparing for the festive break. But by midnight, the situation deteriorated further.

“I won’t actually go into it in detail, but it was a big game of giant Whack-a-Mole. It was man versus machine and by 2:47 we were losing control of our system: we were about to be locked out.”

The only option at that point was to pull the plug, which Hawthorne said was a “brave decision”. The following day – Christmas Eve – the security teams reconvened to try and figure out what was going on with the network. They established that the ransomware had infected about five to 10 per cent of the company’s servers, and then stopped. The company still had its backups, and crucially its data, but the recommendation was not to switch the network back on until it could be established exactly what had been affected.

Forcing everything offline had an immediate impact on the business: it meant no phones, no emails, no access to vital systems, and no list of people who you would actually phone, because everything had been computerised.

“I had 700 customers coming in the day after Boxing Day to pick up their car, and I had no idea who they were,” he says. “There were 2,000 people coming in to get their car serviced. Again, no idea. And even if we did, we had no way of connecting with MOT or VOSA [Vehicle and Operator Services Agency].”

What ensued was a long, painful journey to recovery. The cyberattack ended up costing the company £50 million, it had ramifications for customer data and privacy, and all of the legal challenges therein, and it necessitated a full rebuild of corporate systems, with an IT budget that had been around £9 million almost doubling to £16 million.

The one message Hawthorne sought to get across – as he addressed delegates at Futurescot’s Cyber Security conference in Glasgow on Tuesday – was to ‘practice, practice, practice,’ in terms of cyber exercising and building resilience.

“Those were pretty trying times,” he said. “Now, my IT department worked really well: we had massive help from Microsoft, we had massive help from Cisco, and we had massive help from the police.”

In the end, the firm got back around 30 per cent of its system and they were able to operate. Fortunately, the company had also paid its staff before Christmas, and they had a month to prepare for payroll the following month. It ended up having revert to manual processes to make 12,000 individual bank transfers at the end of January.

“It just puts into perspective exactly what can happen and what really is quite scary,” said Hawthorne, who was left with a lot of ‘cheesed off’ employees over the next six months, because they had limited or no access to systems, and weren’t able to do their jobs to full effect. The impacts continued, with rising sickness levels in the business, and there were others who faced burnout because they were working round-the-clock to ensure the company kept trading.

Halfway through January, the company then found itself in the crosshairs of the ransomware gang. “This was a gift that kept on giving,” Hawthorne said, wryly. “I got a little email from the dark web telling me that they’d stolen some data, and they were going to release it.” Even though the firm’s data had been encrypted at source, once copied by the hackers, it became exposed. Arnold Clark had no way of telling how much they had, and therefore they had to try and find out.

“I’m not a particularly good IT specialist, but as a car salesman I’m not too bad at negotiating,” he said. “So, we negotiated for a bit of time so we could try and work out what these people had, so that we could then tell our customers, so they could protect themselves, so we could nullify the blackmail threat.”

Eventually, having ignored the hackers demands for payment, with Hawthorne advised by his lawyers not to engage with Russian-linked criminals who could be on sanctions lists, the company started to get back to a more normal way of operating. They are now in a position where they test their systems regularly, but they remain vigilant. Phishing attempts are getting more sophisticated, particularly with the advent of AI, and therefore the company has a strict ‘don’t click a link’ on emails policy.

Just this Christmas, the cybersecurity teams quarantined 2,000 suspicious phishing emails, 114 of which were assessed as being capable of doing serious damage to the business.

“Cybersecurity is a journey,” Hawthorne said. “If somebody says they’ve got it covered, aye right. It keeps going and going and going. You’re only as secure as your weakest link.”

“One of the things that we would always say now is speed of response is the best defence,” he adds. “It took us 12 to 18 hours to respond to the attacks that we had that happened today. It would be one to two hours. And we’re pretty aggressive on how we deal with that.”

Moving forward, the biggest threat now is complacency.

Speaking after the conference at Strathclyde University’s Technology & Innovation Centre, he said: “Time’s a great healer or a great forgetter of what actually happens? And, you know, people let their guard down, a little bit of complacency comes in. So we have to keep it front and centre on a on a regular basis with all those staff.”

In practice, that also means the implementation of higher levels of security on endpoint devices, through the adoption of multi-factor authentication. Echoing comments made later in the day by Admiral Michael S. Rogers, Hawthorne said he would like to see greater cooperation between public and private sectors on combatting the threats.

He said: “What I would like to see is us working more progressively in partnership with private, public and law enforcement together, because it isn’t a one person problem. This is a society problem. And whether it’s a private business, public business, or a law enforcement issue, I think awareness and people working together to take the best protection they possibly can will minimise this risk.”