A group of people in an office setting, coding on desktop computers

Co-ordinated attacks on Brookson and Parasol

Umbrella companies Brookson and Parasol are the latest businesses in their sector to fall victim to a cyberattack. Both were hit within days of each other in mid-January, months after counterpart Giant fell victim to a carbon copy attack.

Brookson’s head of sales, Rob Arnold, told ContractorUK that “no data was removed” from the firm’s network. The firm said it was aiming to pay all contractors on time as usual that week. However, in the case of Parasol, many contractors were paid late or received a lower than usual advance payment due to the disruption.

Attacks seem to be malicious rather than financially motivated

While the specific type of attack wasn’t disclosed, one director told ContractorUK that it didn’t appear to be due to ransomware.

Speaking to ContractorUK on condition of anonymity, they said: “Of Brookson and Parasol, the biggest impact on contractors will be Parasol, because it’s the larger umbrella.

“Indeed, Parasol has already had to pay people late and manually. But there’s been no ransom issued. So it sounds purely malicious.”

Brookson refers itself to the NCSC, but is that enough?

Arnold, who referred to the attack as an “incident” without disclosing further details, said Brookson had reported itself to the UK National Security Centre.

However, data lawyer Charlotte Gerrish told ContractorUK that both Brookson and Parasol may need to notify the Information Commissioner’s Office (ICO), too.

Gerrish said: “Contractors should note that the UK GDPR imposes obligations on payroll companies to report certain personal data breaches to the Information Commissioner’s Office within 72 hours of becoming aware of it.

“If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, then affected payroll companies must also inform those individuals without undue delay.”

Larger umbrella companies becoming attractive targets thanks to the data they hold

With at least three large umbrella companies now having been the victims of cyberattacks in recent months, one accountant believes the only way for contractors to stay safe and avoid such disruptions in future is to look at a smaller umbrella company.

James Poyser told ContractorUK: “This [hacking of Parasol and Brookson] is on the back of Giant’s recent catastrophic attack…[so], if you can, move to a smaller umbrella company.

“The larger [umbrellas companies] will always be an attractive target, given the vast sums of cash [now] flowing through their [systems].”

Gerrish said that recent IR35 reform, which increased the volume of data held by umbrella companies, also contributed to the growing attractiveness attached to hacking these businesses. She continued: “Given the increased number of cyberattacks against umbrella companies in recent months, it is clear that cybercriminals are taking advantage of the fact so many contractors now need to work on a payroll basis following implementation of IR35 reform, which has resulted in umbrella companies having increasing volumes of personal data.”

Is regulatory oversight of umbrella companies now inevitable?

Poyser believes the recent spate of cyberattacks highlights the need for umbrellas to be subject to mandatory regulatory requirements, like those the Financial Conduct Authority places on financial products and services providers.

Firms react as contractors urged to take action

Concerns about the scale of these cyberattacks heightened after Parasol revealed it was setting up a whole new payroll system rather than reinstating the one that had been compromised. While Parasol said it had been paying contractors to catch up, many had reported still having monies outstanding, with no indication as to when they would receive them.

Contractors have also been urged to take steps to protect themselves, both financially in the near term as well as having mechanisms in place to prevent them from becoming victims of fraud and identity theft.

Adam Home, an expert in chasing outstanding contractor fees, told ContractorUK: “For any contractor impacted by the recent issues, now is the time to be a little more proactive in your credit management.

“Do not assume you will receive full payment…and take steps to manage your own cash flow and exposure to creditors.

“It may now also be prudent for contractors to invest in credit monitoring or other personal credit score services, to ensure any personal information that may have been purloined [in these hacks] isn’t used for nefarious purposes.”

Clients of Parasol and Brookson fielding calls from rival companies

Unsurprisingly, other umbrella companies were quick to target Parasol and Brookson clients.

The managing director of one staffing agency told ContractorUK: “I’ve had calls and emails from other umbrella companies all day today, about improvements they are making to both their business continuity plans and their cyber security systems. And not just today. They’ve been circling like vultures for the last few days.”

At the time of writing, neither company had provided any further updates on these cyberattacks.

Get in Touch

Fill in the form below to tell us your details, and we’ll get started.