viperagp - Fotolia

IR35: Giant Group cyber attack prompts renewed calls for statutory regulation of umbrella companies

As details about the fallout from the cyber attack on the Giant Group umbrella company emerge, stakeholders say the incident should prompt the government to expedite regulating contractor payroll processing firms

A suspected ransomware attack that prevented payroll processing firm Giant Group from paying wages to thousands of contractors across the UK has led to renewed calls for umbrella companies to be statutorily regulated.

Giant Group was forced to “proactively” suspend its entire operations from Wednesday 22 September 2021 following the discovery of “suspicious activity” on its network that was attributed to a “sophisticated cyber attack”, according to a statement published by the company five days later.

In the wake of the attack, the company closed down its entire IT network, rendering its email and phone systems inaccessible and leaving contractors frustrated because they had no means of contacting the firm to chase wage payments that were due on Friday 24 September.

At the time of writing, the company was bringing its systems back online, and – in a statement dated 29 September – said it was on track to pay any outstanding timesheets and invoices by today (Friday 1 October).

The company claimed it managed to process 8,000 wage payments as the incident unfolded, but it is unclear – based on the size and scale of Giant Group’s business interests – how many contractors were affected by the fallout from the incident.

Giant Group’s most recent accounts filing with Companies House, covering the 12 months to 31 May 2020, said the firm had a turnover of £218m and 5,683 contractors on its books that rely on Giant to process the invoices they receive from clients.

Some of these individuals may work directly with Giant or are engaged via recruitment agencies or end-clients who outsource their payroll responsibilities to the company.

Growing numbers of umbrella contractors

Since the roll-out of the IR35 tax avoidance reforms to the private sector in April 2021, anecdotal evidence suggests there has been a marked uptick in the number of contractors working through umbrella companies.

This is because hiring contractors that work through umbrella companies means the end-user organisation does not have to determine the tax status of those individuals, which is a responsibility the reforms placed on them.

Contractors that work through umbrellas, such as Giant Group, are considered employees of those companies, so the IR35 rules no longer apply to any engagements they undertake for end-clients.

In the lead-up to the reforms, Computer Weekly published numerous reports about private sector firms that introduced hiring bans that prohibited the use of limited company contractors, while favouring individuals who provided their services through umbrella companies.

Given that the reforms came into force in April 2021, and Giant Group’s most recent set of accounts only take into account its business activities up to May 2020, there is a chance that many more contractors have joined its ranks during the interim period.

As previously mentioned, Giant Group is also relied upon in a behind-the-scenes capacity to run payroll for other organisations, including freelance marketplace YunoJuno, for IR35 compliance purposes.

The Giant Group website also lists recruitment companies Hays, Alexander Mann and Adecco as reference customers, among others.

James Poyser, founder of the anonymous freelance feedback portal OffPayroll.org.uk, said his website has received reports from contractors engaged via agencies who had no idea they were paid through Giant until the incident occurred.

“There are lots of people impacted directly who have selected Giant as their umbrella company, but there are also people who did not know that Giant were involved in the supply chain they have [with their clients] until they didn’t get paid,” Poyser told Computer Weekly.

“I suspect YunoJuno aren’t the only people Giant do payroll for because they certainly do recruitment agency payroll, where the contractor working through the agency won’t know they are part of Giant either. Giant are big company and they have tendrils everywhere.”  

Poyser added: “You can see how big Giant are from their turnover figure [£218m]. Nearly half a billion pounds of wages a year go through that company. So for people to not even get paid for a week, that’s a staggering amount of money that’s been held up by this.”

Computer Weekly contacted YunoJuno for comment on this story, and received the following statement from its founder and CEO, Shib Mathew: “We can confirm that some of our freelancers have experienced late payments from Giant. Our priority has been to keep those freelancers updated on Giant's progress to resolve the matter which is now with the appropriate authorities.”  

Communication breakdown

One of the recurring complaints among the contractors blighted by the incident is how difficult it has been to speak to someone directly at the firm about the missing or delayed wages, but also to seek assurances about whether the cyber attack has put their personal data at risk.

“We’ve probably all been at the sharp end of a data breach somewhere, and you tend to get an apologetic email pretty quickly – ‘This is what’s happened, and here is the data that has been disclosed, and here is what we recommend you do to protect yourself’,” said Poyser.

“Contractors have been in the dark, in terms of what they should be doing, and more communication on that front from Giant would have been helpful, so people know what they should be doing to safeguard their personal data.”

One contractor, who spoke to Computer Weekly under condition of anonymity, said they are paid on a monthly basis by Giant, and will find out in the coming days whether their payday cycle has been disrupted by the incident. In the meantime, concern about the safety of their data is top of mind.

“It’s really concerning me,” said the contractor. “They have on file my passport, driving licence, bank account details, because that’s all information you need to hand over to them as your employer. It’s an absolute treasure trove of information for a hacker.”

In a statement, distributed to the press on 27 September, Giant Group acknowledged how frustrating the lack of communication had been for contractors and the company’s clients, but said it was necessary to take its entire operations – including its email and phone systems – offline to ensure the “integrity of the investigation was not compromised”.

The statement confirmed that the company had enlisted law firm Crowell & Moring to assemble a group of “experts in the US, UK and Brussels” to investigate the incident.

The company has also repeatedly mentioned in its public statements about the incident that its databases are encrypted. It has also published a frequently asked questions page on its website, and published the following response in relation to a query about whether any contractor data has been compromised: “To give you reassurance, all of your data is held on Pure Storage arrays, which are automatically encrypted.”  

Computer Weekly has also received separate confirmation from the Information Commissioner’s Office that Giant has made the data protection watchdog aware of the incident, while the National Crime Agency said in a statement that it was “working with partners to better understand the impacts” of the attack.

Was it ransomware?

Questions remain about the exact nature of the “sophisticated cyber attack” that hit Giant Group’s systems, giving rise to speculation that the firm has fallen victim to a ransomware gang.

Computer Weekly contacted Giant Group to seek clarification about the nature of the attack, and was told all the information it can provide at this time is in the public domain.

However, a statement issued by the CEO of the Freelancer and Contractor Services Association (FCSA) appears to confirm that it was a ransomware attack that Giant Group fell victim to.

The FCSA is a membership body that provides accreditation for umbrella companies that want to demonstrate their commitment to operating in a compliant way. Giant Group is an accredited FCSA umbrella company and one of the Association’s founding members. Giant group sales director Daniel Haslam is also an FCSA board member.

“We are liaising with Giant to ensure we can address this issue at speed, and while Giant has been the victim of a criminal ransomware cyber attack, I am reassured that their only priority is to ensure that contractors receive the money they are owed,” said FCSA CEO Phil Pluck in a statement shared with ContractorUK.com

Although Giant Group has yet to confirm or deny directly that it was a ransomware attack, there are several signs that suggest this may have been the root cause.

“The speed of the outage and the protracted nature of the recovery bears all of the hallmarks of one,” said Paul Watts, distinguished analyst at the Information Security Forum.

Read more about IR35 and contractor tax issues

Ransomware attacks are becoming increasingly prevalent, said Watts, which is why it is “imperative that business resiliency is at the heart of business strategy” because of the crippling effect such attacks can have on business operations.

As previously reported by Computer Weekly, a recurring complaint from contractors affected by the Giant Group attack is that it has taken the firm so long to get back up and running again.

Watts added: “In a digitally dependent world, ransomware attacks post an imminent disruption scenario that most businesses should be planning for. As the cyber attack against Giant Group demonstrates, its impact can transcend your traditional definition of information technology.

“In some cases, operational technologies can be knocked offline or may need to be knocked offline to limit further damage. This can propel an organisation from fully operational to an inoperable analogue abyss in minutes.

“Cyber attacks can happen quickly and decisively, in a matter of minutes, as appears to have been the case with Giant Group. To effectively manage such an attack, the key is to plan, plan, rehearse, rehearse, and plan some more, so organisations are in the best position to defend, response, recover and survive.”

What can be learned from the incident?

Crawford Temple, CEO of Professional Passport, a company that provides compliance assessment services to umbrella companies, said that, ransomware or not, the incident still has “concerning implications” for all umbrella companies.

“It raises the bar for each and every provider to look at their systems and work to ensure that robust systems are in place to protect their data and that of the whole supply chain,” he said.

“The challenges for providers and their security measures have been heightened with so many workers now working remotely, which has provided additional access points to hackers. This is probably one of the main reasons there appear to be increasing reports of ransomware circulating at this time.”

News of the Giant Group cyber incident also coincided with reports of technical issues blighting another umbrella company, known as Unified Payroll, that has led to another tranche of contractors not being paid what they are owed.

In a statement on Unified Payroll’s website, its issues are blamed on a “security issue” with the company’s bank account, dating back to 16 and 17 September. At the time of writing, the company said it remained unable to pay its contractors, and advised them that it would not be accepting any further timesheets “until the problem is fully resolved”.

The statement added: “Our directors are working very closely with our bankers to resolve this issue in a timely fashion. We have not been given any clear timeframes.”

Computer Weekly understands the two incidents at Giant Group and Unified Payroll are isolated and unrelated, but Temple said both incidents should compel the umbrella company sector to re-evaluate its IT security processes and protocols.

He said that for this reason, Professional Passport had “initiated a review of the security measures that our providers and supply chain partners have in place and will work with them to develop appropriate standards”.

As another body concerned with ensuring compliance and good practice in the umbrella sector, Computer Weekly asked the FCSA whether it had policies to guide its members on how to deal with ransomware attacks, and whether its members were expected to routinely carry out penetration tests on their systems. The Association did not directly respond to these questions.

Strengthening the case for statutory regulation

While it is hoped that the Giant Group attack may lead some other umbrella company firms to reassess their own security posture, contracting market stakeholders hope the incident might prompt the UK government to expedite the roll-out of statutory regulation for umbrella firms.

There has been some progress on this front, with the UK government setting out plans to create a single enforcement body (SEB) in due course that will be tasked with protecting workers and umbrella contractors from rogue employers and workplace malpractice. 

This is on the back of a growing number of anecdotal accounts that have served to highlight links between non-compliant umbrella companies and tax-avoidance schemes, as well as reports of these same entities making unnecessary deductions from the pay of the contractors they employ.

Until the SEB comes into force, umbrella companies remain without any real means of redress when incidents such as the Giant Group attack stop them receiving the money they are owed, said OffPayroll.org’s Poyser.

“There’s nowhere for people to go and flag these issues to,” he said. “If the government can get a single enforcement body sorted out, and publicise it so that any umbrella worker facing problems knows what government departments to get the support they need from, that would be a start.”

Julia Kermode, founder of independent worker consultancy IWORK.co.uk, backed this view and said the fallout from the Giant Group cyber attack might have been easier for contractors to bear if there was an independent third party they could consult on what their next steps should be.   

“If regulation had already been in place, then I don’t think that whatever happened at Giant would have been prevented, but there would be an independent body in place where contractors could go to for redress, which could investigate what happened and conclude whether or not the situation was appropriately dealt with,” Kermode told Computer Weekly. 

“As things currently stand, there is no such avenue for redress, and affected workers have no option but to wait until the problem is resolved.  It is ludicrous that the government has chosen to ignore our collective calls for regulation of this sector, choosing instead to allow vulnerable workers to continue being at risk of exploitation. You only have to look at the loan charge victims to understand the very serious consequences of the government’s continued inaction.” 

Read more on Data breach incident management and recovery

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close