IT and data

Cyber attack on a UK staffing company:  a 'war story'

Published on 13th Jun 2024

What lessons can workforce solutions companies draw from a recent ransomware attack that likely affected 250,000 people?

Staffing and payroll companies have been hit by a number of high-profile cyber attacks over the last year, with the incidents having been – needless to say – stressful and potentially existential for some of those involved.

These attacks are more widespread than many realise; understandably, affected companies will not always want the world to know they have been attacked. But the risk is not going away.

Companies involved in workforce arrangements deal with lots of sensitive personal data and will continue to be very attractive targets for cyber criminals. In addition, payroll companies are coming under increasing scrutiny from their customers given the high-profile attacks on them, such as the recent UK Ministry of Defence payroll data breach, and the increased focus in general on supply chain liability.

Ransomware attack

A staffing company providing personnel to clients in the UK and overseas became aware that it had suffered a cyber attack when parts of its system became suddenly unavailable due to encryption by ransomware. Although the business was able to restore its systems rapidly from backups, subsequent investigations discovered that the data of approximately 250,000 individuals were potentially affected.

The business decided not to interact with the ransomware group and made precautionary notifications to regulators and potentially affected data subjects. Threat surveillance by large customers and the National Cyber Security Centre subsequently identified that the potentially affected data had been exfiltrated and dumped on the dark web.

Close legal support

The staffing company immediately instructed lawyers – Osborne Clarke in this case – who prepared the initial notification to relevant regulators, including the Information Commissioner's Office (ICO). A forensic technical expert was also instructed to contain and investigate the incident under legal privilege. The lawyers also liaised with the company's insurers in relation to its cyber security cover. 

The company's board was advised over the practicalities and legality of negotiating with the ransomware group and helped in reaching a strategy on how to proceed.

Client and supply chain issues were also a focus. The company was advised on its contractual obligations to clients to ensure that civil liability risk was minimised and commercial relationships were preserved. This involved providing advice on significant claims for indemnity by clients for their costs of dealing with the incident.

Data protection obligations were addressed.  The company was advised in understanding the potentially affected data, assessing the risk to data subjects and properly documenting their assessment and decision-making process.

Once a decision was made to notify data subjects, the company was assisted with drafting notification correspondence, managing the notification exercise in the UK and overseas and communications strategy. The company was then assisted in a protracted ICO investigation;  obviously, there is a risk of serious reprimands or fines or both in these situations. Ultimately, the investigation resulted in no further action against the company.

Some of the individuals notified made claims for compensation. Lawyers helped the company resolve those claims quickly and cost effectively without making compensation payments. Post-incident advice was provided to the company on its data storage and retention policies, contractual obligations and recourse against customers, and suppliers and incident response training

Minimise problems in advance: a checklist

What steps should companies involved in workforce solutions take to minimise problems in advance?

  • Carry out incident response preparation and planning.
  • Carry out contractual risk management including the review and management of supply chain exposure – suppliers' cyber risk may become the companies' cyber risk.
  • Prepare risk assessments for the processing and storage of special category data, and reviewing or writing cyber security policies.
  • Carry out readiness exercises, including war gaming and lessons-learned assessments.
  • Carry out cyber insurance reviews and obtain legal advice on adequacy of coverage.

Osborne Clarke comment

It also worth remembering for those planning merger and acquisitions or fundraising projects, when that market fully returns in the next 12 months, preparedness for a cyber attack is likely to be a main focus for due diligence – and investors are aware of this risk area in the workforce solutions sector.

Osborne Clarke can help your business to prevent an attack. Our four partner UK team dedicated to cyber incident response is supported by a team of assistants and market leading cyber teams across our international offices. The team has dealt with hundreds of cyber incidents of all sizes and levels of complexity and was recognised as the number two European-headquartered legal practice for data and related services in the 2024 edition of the GDR 100.

Share
Related articles
GDPR for HR | ICO enforcement, DSARs, and what UK data law changes to expect
30/08/2024 5 mins
Implementation deadline for NIS2 and new EU cybersecurity compliance regime draws nearer
06/08/2024 11 mins
The Spanish Data Protection Agency intensifies its sanctioning activity in 2023
23/05/2024 3 mins
Dutch Data Protection Authority issues new guidance and steps up cookie-banner supervision
15/02/2024 4 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up