Hackers attack Parasol and Brookson, leaving umbrella contractors unpaid
Parasol and Brookson have been hacked simultaneously, in a concerted cyber-attack on umbrella companies -- possibly because they look to have grown ‘fat’ from IR35 reform.
Giant was hacked in late September 2021 in a suspected case of ransomware and on Friday, Brookson Group said it was “last night” the victim of “the same aggressive attack.”
He did not cite ransomware as the type of attack, but Brookson’s Rob Arnold said “no data was removed” from the firm’s network, which it had “disabled” as a ‘preventive measure.’
Parasol said much the same on Friday in a similar email (also sent to affected parties), saying it had “suspended our systems” following “malicious activity on our network.”
An agency director in receipt of the email, written by Parasol’s CSO Greet Brosens, says the wording smacks of the attack being malicious, rather than financially motivated.
Speaking on condition of anonymity, the director told ContractorUK: “Of Brookson and Parasol, the biggest impact on contractors will be Parasol, because it’s the larger umbrella.
“Indeed, Parasol has already had to pay people late and manually. But there’s been no ransom issued. So it sounds purely malicious.”
'Waiving our margin'
In her email, Ms Brosens says Parasol is paying staff an advance (albeit lower than usual) payment, based on submitted timesheets and remittances received from agencies.
She said Parasol will ensure reimbursements for any losses contractors incur and, in a welcome gesture, the brolly is “waiving our margin” during the cyber-attack period.
In his email, Brookson’s head of sales Mr Arnold says the “objective” is to ensure all customers who would ordinarily expect payment on Friday, to still “receive them” by Friday.
He also says that the cyber “incident” on the Brookson Group network has been reported to the UK National Cyber Security Centre.
'High risk of adversely affecting rights and freedoms'
According to data lawyer Charlotte Gerrish, it may not be the only authority which Brookson – and potentially Parasol too, needs to notify.
“Contractors should note that the UK GDPR imposes obligations on payroll companies to report certain personal data breaches to the Information Commissioner’s Office within 72 hours of becoming aware of it.”
The founder of Gerrish Legal continued last night: “If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, then affected payroll companies must also inform those individuals without undue delay.”
'Umbrellas getting fatter -- by taking on increasing volumes of personal data'
But the lawyer revealed that perhaps the bigger take-away for contractors is that such criminal attacks on the contractor sector are starting to point to a motive.
“Given the increased number of cyberattacks against umbrella companies in recent months, it is clear that cybercriminals are taking advantage of the fact so many contractors now need to work on a payroll basis following implementation of IR35 reform, which has resulted in umbrella companies having increasing volumes of personal data,” Ms Gerrish told ContractorUK.
By contrast to umbrellas looking ‘fat’ with much newly acquired data, PSCs tend to mainly house the personal data of their director-shareholder, and as owners, these individuals can exert “far more control over personal information and other sensitive financial information,” she said.
'Vast sums of cash now flowing through big brollies'
But James Poyser, a chartered accountant, believes it’s not just an influx of data from April 6th 2021 that makes payroll companies look ripe and juicy targets to hackers. It's an influx of money since then too.
In a post, he warned contractors: “This [hacking of Parasol and Brookson] is on the back of Giant's recent catastrophic attack…[so], if you can, move to a smaller umbrella company.
“The larger [umbrellas companies] will always be an attractive target, given the vast sums of cash [now] flowing through their [systems].”
Also boss at off-payroll.org, Mr Poyser said the three cyber-attacks proved now was the time to “mandate security requirements” for umbrellas, “in the same way the FCA does for banks”.
'Not a regulator'
Parasol, Brookson and Giant are the three umbrella companies which founded the Freelancer & Contractor Services Association.
And the FCSA has now responded to its three founder-member companies all being hacked.
“FCSA is not a regulator, and its expertise is in compliance with employment and tax regulations for the sector,” a statement by the association begins.
“Nevertheless, we urge all our members, and all organisations in the supply chain, to prioritise their response to this risk by undertaking comprehensive and regular reviews of their system security and safeguarding of personal data and, at the very least, putting in place the appropriate measures recommended by the National Cyber Security Centre.”
Significantly, while neither Brookson nor Parasol mentioned ransomware in their emails (and Giant has repeatedly declined to confirm ransomware), the FCSA identified it specifically.
“FCSA recognises that, particularly in the case of ransomware attacks, the time from attack to resolution is affected by multiple factors and difficulties.
“It is rarely simple case of ‘restore from backup,’” it said. “However, we expect FCSA members to make every effort to ensure that employees are paid outstanding amounts as quickly as possible, and that they are as open and honest with their employees as they can be”.
'Left without money, but with anxiety, great worry'
The statement that rapid, remedial action is at least the intention might go down well with one Parasol contractor.
But on Friday, he spoke of being “left without money…causing me anxiety and great worry, as I have payments coming out of my account today.”
The reply to a request for comment from ContractorUK to a director at Parasol on Saturday, might reassure the unpaid contractor -- and the many others also out of pocket.
“Sorry I can’t spare you the time [to reply myself but]…I am incredibly busy getting payments out to our employees this weekend,” the Parasol director said.
'Procedures in place'
Guidance for contractors on getting paid as an umbrella contractor was issued by Safe Collections, exclusively to ContractorUK, in wake of Giant being hacked in September.
But guidance for brollies amid the hacking spree may now be on the ‘to-do’ list of Gerrish Legal.
“Payroll companies should ensure they have breach detection, investigation and reporting procedures in place which will help them to ascertain the action to be taken should a cyber-attack occur,” the data law firm recommended.
'Contractors should be vigilant and ask questions'
Turning to contractors, the firm advised: “In light of the recent breaches and the security obligations that the UK GDPR imposes on payroll companies, contractors should be vigilant when selecting their umbrella company and ask questions about data security and the history of data breaches.
“Contractors should also not hesitate to seek relevant indemnities and protection in the contracts they sign with their chosen company to try to avoid exposure, risk -- and above all, stress.”
At the time of writing, the sister companies of Parasol -- SJD Accountancy and Nixon Williams -- have alerts on their log-in portals that their systems are “down for maintenance” and experiencing “system issues,” respectively.
Both Parasol and Brookson have been invited to comment.
UPDATE: Yesterday evening, a spokesperson for Parasol said: “After identifying an issue affecting our IT network, we proactively took the decision to suspend our systems to ensure the safety and integrity of our data.
“We have identified the root cause of this issue as malicious activity on our network and we are conducting a detailed investigation into this incident, which will conclude as soon as possible. From the ongoing forensic exercise and investigations, there is no indication of extraction of employees’ personal information.
“In order to minimise disruption for Parasol employees, we have taken a number of steps to ensure our core services can continue to operate whilst this investigation is ongoing. A key part of this is a solution to make sure we can pay our umbrella employees, with many thousand payments having been made in the last couple of days alone.
“We are also offering full support via our LiveChat function; our support teams are taking phone calls, and we are providing updates to our employees and partners as we seek to resolve this issue.
“We apologise for any inconvenience this may be causing. We are working around the clock to ensure normal service is resumed and will provide more information as soon as possible.”