Giant group hacked in suspected ransomware attack

Giant Group has admitted its computer systems which pay thousands of umbrella company contractors each week have been hacked.

The group’s Giant Pay told contractors on September 22nd that all its systems were being taken offline following the detection of “suspicious activity”.

But the suspicious activity was just a precursor to a “sophisticated cyber-attack” on the company, a Giant Group spokeswoman told ContractorUK last night.

'Criminal ransomware'

As that attack continues to see the company’s phone, email and server network out of operation, with both the Giant Umbrella and Giant Accounts portals offline too, ransomware is suspected.   

Giant declined to specify the nature of the cyber-attack, but the CEO of a trade body which the umbrella company co-founded, says Giant’s systems have indeed been locked, externally and maliciously.

“We are liaising with Giant to ensure we can address this issue at speed, and while Giant has been the victim of a criminal ransomware cyber-attack, I am reassured that their only priority is to ensure that contractors receive the money they are owed,” said the chief executive, Phil Pluck, of the Freelancer & Contractor Services Association (FCSA).

'Technical issues'

Given outstanding sums per contractor quoted on social media by those affected are said to be approximately £6,500, Giant’s contractors are pressing firmly for payment.

In Giant’s statement, which attributes its systems downtime to a combination of integration and “technical” issues, the company says it aims to pay by this Friday.

However on LinkedIn, a range of payment 'due dates' were originally informally reported by hopeful contractors, as Giant's non-payment has affected various individuals at varying amounts since a week ago.

'Suspicious activity'

Yet many Giant contractors have actually been paid during that period, the group’s spokeswoman pointed out.

“Although we had no portals to operate from, we managed to pay over 8,000 workers last week,” she said. “We appreciate that not everyone would have received their expected payment, and for that we are sincerely sorry.”  

Online, some contractors imply that shutting down its portals, payment systems, phone and email network on the basis of “suspicious activity” would be an overreaction for a commercial outfit.

'No pay, no direct communication'

While the shutdown adds credit to the likelihood that the brolly has been hit by ransomware, other contractors said they were just annoyed at being left out of pocket.

And annoyed at being left out of the loop.

“I'm impacted. No pay for over a month. Text received on Sep 21st saying ‘your pay will be in bank by 22nd’ [but] nothing arrived,” one Giant contractor began.

“Then no communication or indication of when I will be paid. My agency has also been chasing as they sent the money through in the first week of September. Coming up to month-end, so there will be financial implications for me.”

Another Giant contractor with a similar experience posted: “[I received] no direct communication from Giant, [only an] email from my agency late Friday afternoon…[so I’m still] waiting to hear [directly] what happened, [and] what data was lost. [Unfortunately] no encrypted data is entirely safe if there is enough money behind it.”

'Ongoing investigation'

Writing exclusively today for ContractorUK, with guidance on what contractors should ask Giant once its communications reopen, is lawyer Charlotte Gerrish, a specialist in data protection.

Since she submitted her guidance, Giant has declined to say how many contractors or records are affected, and it did not specify the type of data involved.

But the umbrella says it is now working with the Information Commissioner’s Office (a duty of a data-holder where a data-holder suspects a breach involved personal information).

Giant also says it has enlisted law firm Crowell & Moring, which “immediately put in place a team of experts in the US, UK and Brussels who have been carrying out necessary steps as part of the ongoing investigation” into the hacking, the umbrella said.

'Goes a lot deeper than just a hack'

Aside to the cache of contractors’ data now potentially exposed though, there are concerns for umbrella companies.

“Unfortunately, it goes a lot deeper than this,” warned a director at an umbrella company when asked about the Giant hack.

“We are all good so far this end…[as we have not experienced a similar cyber-attack], but we have pre-warned our bank. Just in case.”

'Severe issues at umbrella company Unified'

The director was part referring to another umbrella company, Unified Payroll, yesterday announcing that it has suffered “severe issues” with its payroll system.

Said to affect payments to contractors between September 16th and September 17th, the issues led to a “security” problem with its “bank account”, Unified said in a statement.

For coming hot on the heels of Giant’s by-then-already-confirmed hack, off-payroll.org yesterday warned that Unified may have suffered the same fate -- an external cyber attack..

'Two-week run of clone umbrella companies'

But Unified has now removed its statement (which made no mention of online or malicious activity) and, despite being asked to by ContractorUK, the brolly has not confirmed its security or account problems were caused by hackers.

Yet in a development of even greater magnitude, other umbrella companies are now under a new, sustained attack, aimed at fraudulently siphoning off contractors’ earnings.

“Over the last two weeks, the FCSA has seen a number of companies being formed at Companies House which appear to be trying to imitate our genuine umbrella company members,” revealed the association’s Mr Pluck.

“We are aware of this activity and have engaged with recruitment agencies to ensure that they are only dealing with the genuine company – not the clone company -- when paying out contractor earnings.”

'We've been cloned, not hacked'

Speaking out yesterday but on condition of not being named, the owner of one targeted brolly confirmed: “We have been cloned, not hacked.

“Fortunately we’ve paid to have our name protected by the Intellectual Property Office, so that means Companies House will soon remove the offending ‘company.’ But the scammer copied our company’s name [with a variation] and tried to get hold of our VAT certificate by pretending to be a contractor on the phone to us.”

Sounding shaken and clearly upset by the attempted fraud, the umbrella boss continued: “The scammers could then approach an agency knowing it uses one of the cloned umbrella companies, and by cloning an email address, could illicit a ‘change of company bank account’ on their database, so that when the agency paid the umbrella company, the funds disappeared to the cloned company bank account which would be a very similar name. Replicated to just a dozen or so umbrellas, this could be a fraud amounting to millions.”

'Actively aware, and involving Action Fraud'

Asked last night about the fraud-risk posed by ‘cloning,’ another bonafide brolly Clarity Umbrella said it was “actively aware” of the risk and had involved Action Fraud.

But at the time of writing, the UK fraud-reporting centre is yet to respond to a request for comment amid concerns that its most helpful interventions tend to be made only after fraud has been committed.

To some however, ‘cloned’ umbrella companies popping up on Companies House, Giant being hacked, and umbrella bank account ‘issues’ are not coincidental. Rather, they are all connected.

'Attack of the clones'

“The question [to my mind] is whether Giant's data breach was related to the attack of the clones, because I suspect it is,” said an owner of a smaller umbrella company speaking on condition of anonymity, who said she had counted at least 15 umbrella clones on Companies House since early September.

The owner explained: “One reason for not paying workers – as per both Unified and Giant --  could be because the money that the brollies were waiting for has been sent by the agencies, but not received by the umbrella company, because a clone received it instead.

“We shall have to wait and see what comes of this. But a speedy resolution would be best for all parties concerned -- all parties; that is, other than the miscreant, or miscreants, behind this widely attempted fraud.”

'Giant group doing everything it can'

In its latest update to its contractors, Giant said: “With instances related to a cyber-attack, there are certain protocols that must be followed to ensure that the integrity of the investigation is not compromised and therefore we unfortunately were unable to communicate with you as openly as we wanted to. “

The company added: “We know everyone is frustrated about the lack of communication and we’d like to offer an explanation; our phone and email systems are integrated in our network and IT infrastructure. As a result, when we had to close the whole network, our phone and email systems were inaccessible. 

“[And] we are currently working on a technical issue that is preventing us from getting the giant umbrella and giant accounts portals back up and running. We are doing everything we can to resolve this so that we can then begin our conversations with you.”

Profile picture for user Simon Moore

Written by Simon Moore

Simon writes impartial news and engaging features for the contractor industry, covering, IR35, the loan charge and general tax and legislation.
Printer Friendly, PDF & Email

Contractor's Question

If you have a question about contracting please feel free to ask us!

Ask a question

Sign up to our newsletter

Receive weekly contractor news, advice and updates.

Every sign up will be entered into a draw to WIN £100 Amazon Vouchers.

* indicates required