In January 2022, Parasol – an umbrella company used by contractors across the UK to manage their payments – shut down some of its systems after “malicious activity” on its network. Parasol later admitted that cybercriminals accessed personal data in the ransomware attack. In response, Keller Postman UK launched an action to help those involved in the security failure claim compensation.
The compromised information belonged to Parasol’s parent company Optionis. When looking into the data breach, our investigators found that the following businesses could also have been affected by the same cyberattack: Optionis, Optionis Group, Parasol, Arkarius Midco, Arkarius Bidco, Optionis Midco, SJD Accountancy, Nixon Williams, First Freelance, First Umbrella, Optionis Bidco, Clearsky Accountancy and Payroll, Optionis Management, Clearsky Contractor Accounting, Silverline Performance, Wheatley Pearce, Arc Licensed Trade Consultancy, Brian Alfred, and Arnsco.
Together, these businesses provide services to tens of thousands of contractors. Customers of these businesses may also have had their data stolen and, if so, can join our compensation claim.
Optionis is guilty of flagrant GDPR breaches
We have been investigating the Parasol/Optionis data breach to discover what happened, how it happened, and how it affected customers of these businesses. We believe that:
- The cybercriminals were able to access the personal data due to failings in Options’ computer systems.
- The hackers published the data stolen in this attack on the dark web.
- The lost and published data could identify victims of this breach. This leaves them open to the possibility of further attacks.
- Some of the online files contain words that suggest a leak of a very worrying amount of personal data. For example, 13,000 filenames contain the word “payslip”; others contain words indicating that the files relate to bank account information, tax records, passports, commercial documents, contracts, pension information and company names.
- Victims of this breach received no more than the barest of information about the circumstances surrounding their data loss. Optionis did not explain how the breach was allowed to happen or what they have done since.
Ultimately, we believe that Optionis is guilty of flagrant breaches of the United Kingdom General Data Protection Regulation (UK GDPR). We also believe that victims of this data breach have a solid and winnable case.
We have already signed up many people involved in the personal data breach, and we encourage anyone else who has been affected to register with us. If you are not sure if you are affected, we can find this out for you.