Optionis (now Caroola Group) hit with ICO reprimand over ransomware attack from 2022

The Information Commissioner’s Office has reprimanded Optionis, now Caroola Group, over what has been called ‘one of the largest ever ransomware attacks on the accounting industry.’

For not processing personal data in an appropriately secure way, nor having suitably secure technical/ organisational measures, Optionis Group Ltd flouted the GDPR, the ICO found.

These two critical data protection inadequacies infringe the UK General Data Protection Regulation’s Article 5(1) (f), and Article 32(1), respectively, the ICO said.

'Key IT systems suspended'

Optionis lacking both ‘appropriate organisational measures to ensure confidentiality’ and ‘Multi-Factor Authentication on user accounts,’ was exploited, when the data of up to 28,000 Optionis customers -- mostly contractors -- was accessed in the ransomware attack.

Launched in January 2022, the attack forced the brands within Caroola (then Optionis), notably Caroola Accountancy (then SJD Accountancy); Nixon Williams, and umbrella company Parasol to suspend “key” IT systems.

Emails obtained by ContractorUK at the time of the attack feature a senior Optionis director admitting that internally, the attack left Optionis’ companies without any access to client files.

'System issues, maintenance'

Originally communicated to users as nothing more than system “issues” or “maintenance,” the suspension of its key systems saw Optionis take offline its accounts-recording systems.

Thousands of contractors across the three contractor bands (SJD, Nixon Williams and Parasol) therefore went unpaid, or were paid only an initial or half-payment.

Some contractors were told by Optionis that those ‘in hardship’ would get their money first.

Other contractors were glad to receive payment but astonished to find it totalled just 2 pence.  

The ICO says that Optionis corrected “all underpayments” to individuals affected by the cyber-attack by February 6th 2022.

'Optionis held personal data for longer than was necessary'

Less impressed, the data watchdog also said Optionis held personal data for “longer than was necessary,” and said the group took 11 months to notify all individuals of the breach.

Caroola Group (which Optionis changed its name to following the ransomware attack) was last month invited by ContractorUK to comment on the ICO’s findings.

It declined.

'Analysis of impacted personal data took a considerable amount of time to complete'

But on its finding that Optionis took almost a year to notify those affected by the ransomware attack, the ICO reflected in its ‘reprimand’ (-- a formal written warning, albeit not as serious as a penalty or enforcement action):

“Optionis explained that the analysis of the impacted personal data took a considerable amount of time to complete, in particular, due to the size of the dataset.”

The dataset emerged in Feb 2022 as consisting of 400,000 individual files which, at the time, an Optionis spokesperson declined to rule out to ContractorUK as being available and for sale on the dark web.

'Welcome, remedial steps'

In its reprimand against the firm, Optionis is commended by the ICO for taking five actions since the attack, which was subsequently attributed to ransomware gang Vice Society.

Welcoming Optionis’ five “remedial” steps, the ICO said it hired a third-party security firm to investigate the cyber incident, and liaised with IT consultants for “advice and assistance”.

The contractor services conglomerate also put in place a “comprehensive” set of policies to protect and control the security of personal data.

In addition, Optionis deployed 24-7 managed detection and response on all corporate devices; enabled MFA on user accounts and, fifth, enforces “conditional access” on user accounts.

'Working hard'

In April 2022 (exactly 12 months before it became Caroola, and eight months before all affected persons were notified), an Optionis spokesperson claimed it was “working hard”.

At the time, the Optionis spokesperson told ContractorUK: “Since the cyber security incident we suffered earlier in the year, we have been working hard with a team of external IT security specialists to investigate the precise nature of the information that was copied from our systems during the attack.

“This has been a long and complicated process. However it remains our absolute priority to establish the impact on personal data and to communicate with those affected. We would like to thank our partners, clients and employees for their ongoing patience and support as we continue to respond to this incident.”

On October 10th 2023, the ICO ruled: “Taking into account all the circumstances of this case, including the aggravating factors, mitigating factors and remedial steps, the commissioner has decided to issue a reprimand to Optionis in relation to the infringements of…the UK GDPR”.

'Crime scene'

Separately, the British Library on December 15th 2023 said its systems and servers were now a “crime scene” following a ransomware attack in October 2023, “by a criminal group known for such activity.”

Reportedly inflicting £7million in terms of damage and recovery costs, the cyber-attack disrupted all British Library systems and services, with 600GB of data released onto the dark web.

Meanwhile, The Law Society on December 4th 2023 said that an IT services provider to the legal sector, CTS, had suffered a cyber incident, with the effect that law firms have been prevented from accessing their case management systems and clients delayed from buying, selling and moving into properties.

Offering guidance to currently unaffected conveyance firms, the Law Society said they ought to consider how they too can prepare for a cyber-attack (ahead of renewing their professional indemnity insurance), with one of the considerations being whether they have “appropriate cybersecurity systems in place.”