IT contractors are taking it upon themselves to investigate whether their personal data has been compromised in the Parasol umbrella company data breach, after growing frustrated at the time it is taking for the payroll processing company to provide updates on the situation.
Computer Weekly has spoken to a handful of system administrators and IT security contractors, employed through Parasol, who have spent the past few days downloading hundreds of gigabytes of data and thousands of files from the dark web that are known to belong to the company and its subsidiaries.
At the same time, a group action is being prepared by London-based law firm Keller Lenkner to seek compensation for contractors caught up in the breach, with its own data suggesting that some of the leaked data could date back more than 10 years.
“Going on what we’ve seen, there is data there that goes back as far as 2011 and 2009, so anyone who has used Parasol in the last 10 years – at least – could have some data on that [leaked] database,” Kingsley Hayes, head of data breach at Keller Lenkner, told Computer Weekly.
The leaked files are being hosted on a dark web page run by known ransomware gang Vice Society, and are listed as belonging to Parasol’s parent company, Optionis Group, whose operations also include several accountancy firms that specialise in providing services to limited company contractors.
These accountancy firms include Clearsky Business, Clearsky Contractor Accounting, SJD Accountancy, Nixon Williams, First Freelance and Optionis Accountancy.
The Optionis Group suffered a suspected ransomware attack in the second week of January 2022 that prompted it to proactive disable and remove its customer-facing systems from the web in the following days, and led to widespread disruption to the payday cycles of thousands of contractors across the UK.
Having previously assured contractors via email, on Friday 14 January, that its “investigations currently indicate” that no personal data was extracted during the attack, the firm sent out a follow-up email on 7 February that confirmed “some data” had been leaked online.
It is understood that collectively, across all its brands, Optionis Group provides services to about 28,000 contractors across the UK, but it remains unclear how many of them have been caught up in the data breach.
In a statement to Computer Weekly after the breach was confirmed, an Optionis spokesperson said the firm was unable to provide any more information at that stage, but wanted to reiterate to contractors that its team of cyber security experts were working “as quickly as possible on the investigation”.
The pace of the investigation is understood to have frustrated a number of the firm’s contractors, who have told Computer Weekly of their dismay that it took five weeks for the company to discover and announce the news of the data breach.
In a follow-up statement to Computer Weekly, an Optionis spokesperson said: “Our investigation is still very much ongoing, so there is nothing more we can add at this stage, but we will continue to work with our partners to complete this as soon as possible.”
Dark web data dump
Keller Lenkner confirmed to Computer Weekly that its cyber security experts have identified at least 350,000 records linked to the breach on the dark web.
These include the names and addresses of contractors, identity documents, national insurance numbers, payslips, salary information, employment contracts and company accounts. Data documenting staff sickness and training records have also been found in the data dump.
The law firm launched its group action last week and is preparing, within the next “14 to 21 days”, to submit a letter of claim against the company on behalf of those caught up in the breach, said Hayes.
“An action like this basically takes the form of gathering up interested parties and getting together as many of them as we possibly can to launch a claim… and seek recompense for the issues that those affected have sustained,” said Hayes.
At the moment, that is difficult to quantify because each individual caught up in the breach is likely to have been affected in different ways, based on the amount and type of data that has been leaked about them. At the time of writing, that is still unknown.
“There is a great concern at the moment, certainly from our clients, that there is a lack of information coming out from Parasol and the [Optionis] Group generally about what they propose to do about this and how they propose to protect the position of the individuals or companies affected,” said Hayes.
“If the company is doing incident management correctly, they should have a playbook for this. Most companies of their size seem to, and there doesn’t seem to be a repository of information [from Optionis] for individuals to help them understand what they need to do to protect themselves.”
In the meantime, there is no way of knowing who is viewing the data leaked on the dark web, or what they plan to do with it, he added.
“The reality of how this data has been put out there so far is that it is available to copy, and the problem that Parasol has, and the individuals affected by this have, is that nobody knows who may or may not be copying the data, and whether those that have will try to sell it on,” said Hayes.
Any individuals who have provided the Optionis Group, and any of its subsidiaries, with the mandatory “know your customer” (KYC) data for identity verification purposes in the last few years should be concerned, he added.
“If you have been part of the process with the organisation where you’ve handed over your KYC documents, and your payroll has been managed for some considerable time [by Parasol], anything from your tax returns through to your passports, driving licences and all of that type of information is likely to be compromised.”
Parasol and its parent company should “know exactly” what data is contained within its own systems and should be communicating with its contractors about what they should be doing to protect themselves, while also doing what it can to remove this data from the dark web, said Hayes.
At the time of writing, no further updates about the size, nature or age of the data contained in the leak had been released by Parasol or Optionis, although the company supplied Computer Weekly with a statement that said it was in the process of “reviewing all of the data that has been leaked by the cyber criminal gang”, so it can notify those affected by the breach.
“This review is a complex process which will inevitably take time, but we are putting significant resources behind it, and working with specialist IT experts to ensure that it is done as quickly and efficiently as possible,” said the company. “We would like to thank our employees, clients and partners for their support and patience while we continue to respond to this incident.”
Even so, the time it is taking Optionis to assess the leaked data is likely to be adding to the stress that contractors will be feeling since news of the cyber attack first broke.
“The way that Parasol is dealing with this whole situation is basically just adding to the stress and the concerns that these individuals have,” said Hayes.
Rather than sit around and wait for the company to issue updates, Computer Weekly has spoken to several contractors who have decided to take matters into their own hands and track down their data on the dark web themselves.
An initial analysis of the data dump, conducted by one sysadmin and shared with Computer Weekly, corroborates Keller Lenkner’s findings that at least 350,000 of the company’s files – amounting to about 167GB of data – have been leaked online.
“That’s all in one directory, with sometimes ambiguous file names,” said the contractor, who spoke to Computer Weekly on condition of anonymity.
This individual has spent the last few days downloading the data dump to see if any of his personal information has been compromised, after growing frustrated at waiting for Optionis to confirm or deny whether his payslips, passport data and bank account details had been leaked online.
Because of the size of the data dump and the limitations of trying to download the information through Tor, the individual said it would take several days for him to obtain it all before sifting through it to see if his information has been leaked.
“I have approximately 25% [of the data dump] and should have the lot by Friday [18 February], but it will still take a good bit of time and effort to rule myself, or anyone else, in or out,” he said. “Much of the data is in PDF and JPEG form, which is not easily greppable.”
Another contractor told Computer Weekly they had downloaded about 5% of the total data contained within the dump, which contained the home addresses and contact details for at least 7,000 of the firm’s employees, as well as 2,000 passport scans and around 700 driving licences belonging to people who make use of Optionis’s services in some form.
“That was a sample of 5% of the files out there, so the extent of this breach is massive,” said the contractor.
The type and amount of data that is known to be out there could, as is the case with past breaches, put those affected at heightened risk of identity theft and fraud, as well as phishing attacks.
Meanwhile, the IT contractors who are downloading the data are also acutely aware of the risks they are taking by digging into the dark web to retrieve it, but feel the lack of updates from Optionis has left them with no choice.
Even so, the individuals said they would caution other contractors against doing the same unless they have past experience of accessing resources on the dark web, and have a hardware setup in place that allows them to do so safely.
“Certainly, I would never use a work laptop connect to my client’s corporate network [to do this] because that would unnecessarily leave them open to these risks,” said the contractor, who shared their initial analysis of the data dump with Computer Weekly.
“The risks are the same risks as visiting any website generally, but you are statistically more likely to come to harm on the dark web due to the nature of the sites, their operators and the nature of the visitors.
“The main risk is that code on the sites exploits a vulnerability in your web browser software, such as a Javascript vulnerability, and if the browser is successfully exploited, there may be follow-on risks to other devices and data on the local network and beyond.”
For any contractor waiting on confirmation that their data has been compromised, Keller Lenkner’s Hayes said their priority should be to sign up for a fraud monitoring service, from the likes of Experian or CIFAS, that will tip them off should any attempts be made to use their data for identity fraud.
“If individuals are in a position where they know they’ve provided identity documents that they can reapply for, such as a driving licence or passport, then they absolutely should, to protect themselves,” he said.
“The more you can do to take away the capability of a fraudster to use the information contained in an identity document, the more you can protect yourself. But it is extremely difficult to put the genie back into the bottle when it’s out there.”
Hayes added: “Once somebody has grabbed even screenshots of these documents, that information can be tied together with any information that’s publicly available about you on social media, for example, and used against you. So I would also recommend that individuals in cases like this tighten up their social media profiles too.”