ra2 studio - stock.adobe.com
Umbrella company Parasol is finding itself under fire over its handling of the fallout from a suspected ransomware attack on it systems five weeks ago, after it confirmed the incident may have led to the personal data of its contractors becoming compromised.
The January 2022 attack on Parasol prompted the company to proactively disable and remove its customer-facing systems from the web in the days that followed, and has led to widespread disruption to the pay day cycles of thousands of contractors across the UK.
Parasol’s parent company Optionis Group confirmed in an email to its contractors on 7 February 2022 that its IT security team had uncovered evidence that “some data” had been copied and leaked online since the attack on its systems last month.
The email, signed by Optionis Group CEO Doug Crawford, said the firm has been unable to “ascertain the precise nature of the information” contained in that leak, but that it would notify its contractors and employees immediately if it emerged that their personal data had been compromised.
“We felt that it was important to let you know about this development and we can assure you that we will inform you as a matter of urgency should we uncover that personal data, which is likely to result in a high risk to you, has been leaked,” the email added.
At the time of writing, no further details about the amount or type of data compromised by the breach has been released by Optionis, nor is it clear how many contractors may have been affected by the incident.
“Unfortunately, we’re not able to provide any more information at this stage, but would reiterate that our team of cyber security experts are working as quickly as possible on the investigation,” said the company in a follow-up statement to Computer Weekly.
As well as Parasol, the Optionis Group also owns and operates a number of contractor-focused accountancy firms, including Nixon Williams and SJD Accountancy. The Group is collectively understood to provide services to around 28,000 contractors across the UK.
Speaking to Computer Weekly on condition of anonymity, an umbrella market source said the number of contractors the group employs, coupled with its relatively wide range of business interests, means the company is sitting on a potentially huge “treasure trove” of data for cyber criminals.
“Within Optionis, you’ve got an umbrella company and several accountancy firms, so the amount of personal data they sit on will be absolutely phenomenal,” the source said. “You’re talking about names, phone numbers and email addresses [for their contractors], but they’re also going to have bank details.”
The source added: “They’re full-blown employers, so they’ll be doing right-to-work checks [for their contractors] and that means they’ll have identification documents potentially on file, including passports, and driving licenses, too.”
The fact that several of the Optionis Group brands also specialise in the provision of accountancy and tax advisory services to limited company contractors also means the company is liable to have in its possession company accounts and tax returns, the source added.
“It’s a pretty phenomenal treasure trove of data that is potentially at stake here, and the million dollar question is how much of that has been exposed.”
Read more about umbrella companies
- An MP-led inquiry into the UK’s ‘wild west’-like contracting sector is demanding urgent action by the government to push through regulation to ensure freelance IT workers receive the correct pay and benefits for the work they do through umbrella companies.
- A surge in the number of umbrella company comparison sites offering ‘too good to be true’ take-home pay rates has reignited concerns that the incoming IR35 private sector reforms could result in more IT contractors facing life-changing tax bills in years to come.
As well as wanting to know more about the amount and type of data affected by the breach, the company’s contractors are also keen to know why it has taken five weeks for the company to uncover and notify them that their data may have been compromised.
Especially as Computer Weekly has seen copies of emails from the Optionis Group CEO from several weeks ago that state the attack on its systems did not seem to have led to any personal data being lost or compromised.
An email sent out by the company on Friday 14 January 2022 stated that “investigations currently indicate that your personal information has not been extracted”.
The data breach disclosure calls that earlier statement into question, said one contractor, who spoke to Computer Weekly on condition of anonymity, while also suggesting the firm is still coming to terms with the damage the January attack has done to its systems.
“We have gone from being advised that no data had been lost to finding out that – actually – our information has been potentially stolen and leaked on the web,” said the contractor. “What has taken the firm five weeks to advise us of this situation?”
In the wake of the news of the data breach breaking, Computer Weekly has also been contacted by contractors who stopped working for Parasol in the aftermath of last month’s cyber attack and are now dismayed to discover they have not been contacted directly by the firm about the breach.
“I don’t have an active contract with a client via Parasol any more, but I’m still technically an employee and I’ve not heard anything,” one contractor told Computer Weekly.
Computer Weekly queried whether contractors who have stopped working in recent weeks for Optionis Group should have been included on the data breach mailout, and the company provided the following statement in response: “We are investigating the precise nature of this information as a priority and are communicating with those who may have been impacted.”
The data breach alert email also stated that Optionis has partnered up with credit reporting firm Experian to provide contractors with a “dedicated helpline” they can use to raise any queries they have about the data breach.
However, contractors are now calling on the firm to go one step further and provide them with free access to Experian’s paid-for credit monitoring and identity theft detection services in the wake of its data breach.
Computer Weekly put this request to Optionis, but the company did not directly address the question in its response statement.
“The Experian helpline has been set up specifically in relation to this incident, so we would encourage people with any questions to take advantage of the services until we can provide a further update,” it said.