Hacked Parasol and Brookson outline new systems and processes

Parasol and Brookson Group have put out further communications to agencies, end-users and contractors concerned about cyber-criminals hacking the two umbrella companies.

But Parasol’s sister companies SJD Accountancy and Nixon Williams are still yet to say why their online portals have been offline too, since about the same time of the cyber-attack.

Parent company Optionis, which owns the three contractor brands, may have decided to take down all of the group’s online systems when it “suspended” the Parasol network.

That scenario (rather than the alternative that SJD and Nixon were also hacked) gains credence from Optionis-owned accounting advisory First Freelance also being currently offline for its ‘Contractor Cloud’ users.

Optionis representatives and staff were asked to comment yesterday, following a stream of questions to ContractorUK from customers of the two accountancy firms. [Editor’s Note: An Optionis spokesman has since briefly commented, see the UPDATE at this article’s end.]

'New payroll systems up and running'

On Friday though, Parasol said it pulled its MyParasol portal and turned off its usual comms channels to ensure “the safety and integrity of our data,” to “protect the Parasol community.”

But in a potential sign of the large scale of the attack, Parasol yesterday said it was preparing an entirely new payroll system, including a fresh way for contractors to submit timesheets.

“We are currently expecting to have new payroll systems up and running over the next few days”, wrote Parasol’s chief sales officer Greet Brosens.

In an email to agencies, she added: “[This] means that most of our employees should be receiving correctly calculated pay from this week onwards.”

'Still not been paid'

The timeline may reassure one ContractorUK Forum user, who yesterday afternoon said he had “still not been paid yet” despite his agency claiming to have paid Parasol last Thursday.

“I was paid about half what I was owed for last month over the weekend,” added a second forum user. “[But] I can't invoice [Parasol now] for last week, with their system [still] down.”

In her email yesterday afternoon, Parasol’s CSO Ms Brosens said the umbrella company had paid “thousands” of contractors “over the last few days.”

'Don't assume you'll be fully paid'

Adam Home, an expert in chasing outstanding fees, says there are markedly fewer options for unpaid umbrella contractors than there are for unpaid limited company contractors.

Referring to the hacking of Parasol, and the hacking of Brookson -- which is yet to respond to a request for comment despite updates via its staff on LinkedIn, Mr Home advised:

“For any contractor impacted by the recent issues, now is the time to be a little more proactive in your credit management.

“Do not assume you will receive full payment...and take steps to manage your own cash flow and exposure to creditors.”


A senior credit manager at Safe Collections, Mr Home also recommended: “It may now also be prudent for contractors to invest in credit monitoring or other personal credit score services, to ensure any personal information that may have been purloined [in these hacks] isn't used for nefarious purposes.”

On Friday, Brookson Group said its network defence team “spotted and contained” the cyber-attack “immediately” with the effect that “no data was removed.”

Yesterday, Brookson’s Marcus Kenny said all customers and suppliers “should” by now have received a “direct communication explaining how our processes will work through this contingency period.”

“If you have not received this detail,” he continued in a post, “please email info@brookson-businessadvisors.co.uk and we will call you back”.

'Not addressed in an appropriate and timely manner'

Last night, data law firm Gerrish Legal warned that from a UK GDPR perspective, a ‘cyber-attack’ constitutes a ‘data breach’ when any personal data is concerned.

In a statement, the law firm said: “Recital 85 of the GDPR states that, ‘A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.’”

Asked to translate what the recital means, in practice, the firm’s founder Charlotte Gerrish explained: “This means that ‘attacks’ can mean anything from mere inconvenience for contractors, to much more damaging situations where theft and fraud has occurred.”

'Parasol and Brookson rivals are circling like vultures'

Yet even if it is just ‘mere inconvenience’ for contractors, in the cutthroat umbrella company industry, the rivals of Parasol and Brookson aren’t missing an opportunity. 

The managing director of a well-established staffing agency said last night to ContractorUK: “I’ve had calls and emails from other umbrella companies all day today, about improvements they are making to both their business continuity plans and their cyber security systems. And not just today. They’ve been circling like vultures for the last few days.”

UPDATE: A spokesman for Optionis, on behalf of SJD Accountancy and Nixon Williams said: “There's not anything more we can add beyond our [initial] statement at this stage; just that the decision to suspend the systems was taken proactively and the investigation is ongoing.”

Profile picture for user Simon Moore

Written by Simon Moore

Simon writes impartial news and engaging features for the contractor industry, covering, IR35, the loan charge and general tax and legislation.
Printer Friendly, PDF & Email

Sign up to our Weekly Newsletter

Keep up to date with everything in the world of contracting.


Contractor's Question

If you have a question about contracting please feel free to ask us!

Ask a question