Optionis notifies contractors of data being copied and leaked

Optionis, the parent company of Parasol, SJD Accountancy and Nixon Williams -- all three of which were last month hacked, says its internal data has been copied and leaked online.

In an email to agencies, the contractor conglomerate said it had not identified the “precise nature of the information,” but has detected it was duplicated and distributed on the internet.

'High risk'

The email adds that if an investigation finds the information is personal data “likely to result in a high risk” to Optionis employees, such staff will be informed “as a matter of urgency.”

The company’s CSO Greet Brosens also wrote: “We are about to write to all our employees, some of whom might be employed through you or your clients, to share this information”.

Gerrish Legal, a data law advisory, says Optionis appears to be doing the right thing, by letting contractors know even if it does not know the sort of data taken from its systems.

'Nothing more to tell'

“The UK GDPR imposes certain obligations,” the advisory began in a statement to ContractorUK.

“If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, then [the] affected payroll companies must inform those individuals without undue delay.

“But at this stage, [Optionis says it] is not aware of the nature of the breach, yet has nevertheless notified [parties] of its existence. Without more information on the breach, they likely have nothing more to tell.”

In the Optionis email, Ms Brosens says the cyber “incident” on its network was “contained,” and the company has notified both the police and “relevant authorities.”

'Contact the ICO if you wish'

Under the UK GDPR, a payroll company would need to report personal data breaches to the Information Commissioner’s Office within 72 hours of becoming aware of it.

“You can contact the ICO directly yourself should you wish to,” Gerrish Legal’s Alix Balsan advised yesterday, when asked if Optionis contractors should take action themselves.

“But equally, you can choose to wait to obtain more information, [given] the email indicates that they are unaware as to the nature of the stolen data.”

'Contractors should be vigilant, and not hesitant'

Payroll firms are advised to have breach detection, investigation and reporting procedures in place, to help them ascertain the actions to take should a cyber-attack strike.

“In light of the recent breaches and the security obligations the UK GDPR imposes on payroll companies, contractors should be vigilant when selecting their umbrella company and ask questions about data security, notably history of data breaches,” Ms Balsan said.

“Contractors should also not hesitate to seek relevant indemnities and protection in the contracts they sign with their chosen company, to try to avoid exposure, risk and stress.”

In her email, and since the hacking and removal of data from the company’s systems, Ms Brosens said Optionis has enlisted Experian for security advice, and has set up a helpline for staff and clients who have queries.