ICO hits hacked firm with GDPR reprimandby
The Information Commissioner’s Office has severely reprimanded accounting services group Optionis (now rebranded to Caroola) for failings relating to the ransomware attack that knocked out its systems for weeks and saw client documents published on the dark web.
In an official reprimand, information watchdog the Information Commissioner’s Office (ICO) stated that Optionis failed to put in place technology, policies and systems to ensure a level of security appropriate to the risk.
In January 2022, the Optionis Group suffered one of the largest ransomware attacks the accounting industry has ever seen, with group members SJD Accountancy, Nixon Williams, ClearSky and the Parasol umbrella group all hit by significant outages.
In the days and weeks after the attack in 2022, AccountingWEB received reports of clients left unable to access vital information ahead of self assessment and VAT return deadlines, umbrella clients of the group remaining unpaid, and staff at the affected firms unable to access client files.
This was followed up by news that sensitive information from up to 28,000 clients, mainly contractors, totalling an estimated 315,000 files had been published on the dark web. According to a report in the IT publication The Register, these included the management accounts of client companies, HMRC letters discussing clients’ tax status, passport copies and payslips.
Given that the Commissioner has various powers to take action for a breach of UK GDPR rules, including the ability to issue fines of up to £17.5m or 4% of a firm’s annual worldwide turnover (whichever is higher), victims of the attack may wonder what they consider to be a serious breach.
In April 2023, Optionis rebranded the group and all of its entities to Caroola Group.
Security failures on multiple fronts
The reprimand stated that Optionis failed to have appropriate organisational measures in place to ensure the confidentiality and integrity of its systems.
“Optionis had no clear Bring Your Own Device (BYOD) policy and an inadequate account lockout policy,” stated the reprimand. “Had these elements been addressed sooner, it could have significantly reduced the likelihood of a successful attack.”
The ICO went on to state that despite extensive guidance available from the National Cyber Security Centre, Optionis had failed to put critical data protection measures such as multi-factor authentication (MFA) in place for the affected user account.
While specifics of how the breach happened are minimal, details in the reprimand indicate that the ransomware group gained access by logging into a group member’s admin account.
A compounding factor to the oversights listed above was that Optionis took 11 months to notify all individuals of the breach. A report from Contractor UK stated that the group originally communicated the attack to users as nothing more than system “issues” or “maintenance”.
In an explanation to the ICO listed in the reprimand, Optionis said that the analysis of the “impacted personal data” took a considerable amount of time to complete due to the sheer volume of data lost.
The Commissioner also noted that Optionis held personal data for longer than was necessary – a separate page on the ICO site states that firms must not keep personal data for longer than they need to.
The Commissioner welcomed remedial steps taken by Optionis following the incident, which included the correction of all underpayments to individuals by 6 February 2022, commissioning a third-party cyber security firm to investigate the incident, and implementing a comprehensive set of policies to protect and control the security of personal data.
The group has also now deployed 24/7 managed detection and response (EDR) covering all corporate devices and enabled multi-factor authentication (MFA) on user accounts.
Reacting to the ICO reprimand, a spokesperson from Caroola Group gave AccountingWEB the following statement:
"In January 2022, we were the victim of a cyberattack perpetrated by a sophisticated criminal group. As soon as we identified the issue, we took immediate steps to contain, mitigate and resolve it, as well as launching an investigation supported by external IT security specialists. We were able to secure and safely restore our IT infrastructure and return to normal operations within a few weeks. Those whose data was affected were notified in line with our data protection obligations and offered free credit monitoring.
"While no organisation can eliminate the risks of this type of incident, our primary objective is to uphold the highest standards of data security and compliance. To achieve this goal, we have implemented a comprehensive range of measures, which were recognised as positive by the ICO, and included:
- Enhanced Data Security Policies: We have significantly improved our robust data security policies.
- Rigorous User Privilege Reviews: We conduct thorough reviews of user privileges.
- Stringent Authentication Measures: Strong authentication protocols have been meticulously implemented.
- Comprehensive Data Protection Training: Our employees receive rigorous data protection training programs.
"We are pleased that, the ICO has recognised these proactive steps when considering their findings. Our commitment to continuous improvement in data protection and cyber security remains resolute."
Laura Bannon, Senior Associate on the data breach team at group action law firm Keller Postman UK, has been working with victims of the hack and told AccountingWEB that due to Optionis's positioning as a payments processor, the effects of this breach have been grave due to the nature of the information stolen.
“Signatures, payslips, passport copies – all that information is ripe for identity theft which can have a huge impact on people’s lives,” said Bannon. “Affected clients have reported card fraud, identity theft, and suffered significant anxiety from their personal data being compromised.”
“Given the nature of data that was stolen such as dates of birth and NI numbers, many claimants have no way of ensuring that criminals will not exploit their information at some point in the future.”
Those affected by such breaches are encouraged as a first step to register with a consumer credit reporting agency, many of which offer services that flag if an individual attempts to take out a loan in their name. Optionis reportedly provided Experian accounts for people affected by the data breach – although several individuals noted that this was just for a one-year contract.
Virtual private network (VPN) services also offer services that flag if an individual’s name or personal information appears on the dark web.