Save content
Have you found this content useful? Use the button above to save it to your profile.
A series of digital padlocks, some open some closed

SJD-Nixon Williams parent confirms data leak


UK contractor specialist Optionis, the group that includes SJD Accountancy and Nixon Williams,  confirmed that data hacked from its system has been released online, potentially affecting up to 40,000 clients.

9th Feb 2022
Save content
Have you found this content useful? Use the button above to save it to your profile.

As reported in January, the parent company behind contractor firms SJD Accountancy and Nixon Williams and umbrella outfit Parasol reported that their IT security had been comprised by online attackers after numerous users reported service outages.

Over the past three weeks, reports of accounting clients unable to access vital information ahead of self assessment and VAT return deadlines and umbrella clients remaining unpaid have flooded in, as the firms shut down their IT systems to deal with the attack, thought to be ransomware.

Optionis CEO Doug Crawford yesterday confirmed in an email to clients that data had been extracted from its system and published online - although details of the leak have yet to be established.

Crawford thanked Optionis clients for their patience while the breach was investigated and stated that the incident had now been contained and the police and relevant authorities notified.

“Our security team has now detected that some data belonging to Optionis was copied from our system and we believe some of that has been leaked online,” continued the email. “At this stage we have not been able to ascertain the precise nature of the information, however we are investigating this as an absolute priority.”

The group called in multinational service company Experian to support clients during the breach, offering a dedicated credit monitoring helpline for those affected by the hack. Clients can contact Experian on 0800 064 0433, Monday to Friday 9am to 5pm.

In what appears to be a separate attack, fellow umbrella firm Brookson, not part of the Optionis group,  reassured clients that the company’s systems are now functional following two cyber-attacks that knocked it offline for more than three weeks. In an FAQ on the Brookson website, the firm said: “The threat-actors that committed the cyber-crime took [our VoIP phone system] offline, and have subsequently been running DDoS attacks on our external customer portals.”

‘Having to start from scratch’

While some systems at SJD Accountancy, Nixon Williams and sister firm Parasol have been restored, reports from various sources point to continuing issues at all three of the affected firms.

One Trustpilot review posted yesterday stated that after nearly a month of systems being offline, SJD Accountancy was “not responding at all” to emails or phone calls: “It seems that the online system is showing some sign of life but lost a lot of functionality.”

Another SJD client reported they were “having to start from scratch”, commenting: “I seem to have a new portal to access which is missing half my data so I quite literally can’t do anything to self-help.”

A Nixon Williams client reported that the firm “failed to do my account closure and tax return and their platform is down, meaning I have to do my invoices manually and manual reconciliation”.

‘Where was the recovery plan?’

Two accountants who spoke with AccountingWEB on the condition of anonymity both said they had been in touch with SJD Accountancy and Nixon Williams clients looking for help.

“They [the clients] have no access to data. They don’t know if their VAT returns, self assessment or PAYE have been filed,” said one firm owner. “Their data has been lost and their previous firm can’t provide professional clearance. I’m having to reconstruct figures from last year’s accounts.”

Another partner at a separate firm commented that incoming clients were “having to pay new accountants for work that’s already been done”.

“I feel for all the people affected by this, including staff at the firms” they continued. “None of us are 100% protected, but where was the recovery plan? The back-ups? There’s a lesson for all of us about what data you hold, where you hold it and the dangers of holding client data centrally.”

With so much data now held in cloud systems via practice management and tax tools, both accountants expressed concern about the increased vulnerabilities this approach can bring.

Hackers only need to win once

“It’s an unfortunate event and can happen to anyone as the attackers only need to win once,” commented Mark Burgess, Director at IT services firm Orca. He called on accounting firms to do the basics well when approaching cybersecurity.

“It’s vital to educate staff on the risks and threats circulating on the internet,” he said. “After all, this is by far the most significant risk in any organisation and too many companies spend on the latest security technology whilst ignoring the human element. Once the basics are covered, layer security appropriately and make your business as difficult a target as possible. Attackers favour easier targets. 

“Finally, you’ll need to test, document and practice your recovery processes should the worst happen. Backups, specifically air-gapped are just one component of a successful recovery from an event like this.”

Operational risks

Backed by private equity firm Sovereign Capital, Optionis was originally formed under the name Arkarius in September 2014 and acquired SJD Accountancy and Nixon Williams in a deal reportedly worth £100m. In December 2016, Arkarius merged with Optionis, bringing on board accounting firm ClearSky, umbrella firm Parasol and tax specialist Brian Alfred. Together, these businesses provide accounting, payroll, tax and professional employment services to around 40,000 UK clients.

The latest accounts from Optionis made up to 31 October 2020 state that it has more than 18,000 accountancy clients across its various companies. The group generated £436m in revenue, making a loss of £5.7m. In total it employs around 700 staff across 10 sites around the UK.

In the operational risks section of the accounts, the group puts the likelihood of a cyber breach at medium (on a scale of very high, high, medium and low) but assesses the likely impact of such an event as “very high”.

During the height of the Covid pandemic, the group received furlough payments totalling £4.17m and deferred VAT payments due in March and June 2020. These payments will fall due by 31 March 2022.

Replies (10)

Please login or register to join the discussion.

By User deleted
09th Feb 2022 12:03

We can all have a good laugh at a "warehouse accountant" getting hit, and I have done.

However, it is only a matter of time before cloud services that we use get hit too, thus leaking our and our clients data. ie not our platform but it will end up being our problem.

Maybe after a few more hacks, leaks and deletions, everyone will see that having everything in the cloud isn't all that was promised.

Just like we were told to not bother having physical copies of films as you can access Netflix etc - which was great until they started to delete old/"non-PC" films and programmes.

We were told that use of oil is going to be restricted and that would all be fine due to wind farms- but I think the penny is finally starting to drop that that might cause a massive drop in living standards. Who'd have thunk it?

All these big promises never seem to deliver. In fact, they seem to deliver the opposite.

Now, I'm off to get my fourth injection in the space of a year. Never "needed" to have so many before. The promise is that will give me loads of protection. Mind, they said that about the second one. Then also about the third one. Still, I bet this promise is solid. Big Pharma have never ever lied or been wrong before have they? Have they?

Thanks (4)
Replying to User deleted:
Mark T
By MarkTunstall
10th Feb 2022 08:50

Cloud services have to be thoroughly robust with their protection measures as they have thousands of doors to cover, whereas the attacker only needs to be successful with one door.

It's precisely why we recommend that all cloud services are fully backed up in a way that is segregated from the main vendor's production system. That includes things like 365, which really only has rudimentary backups/version control, but it applies to most cloud services unless they clearly specify that they go above and beyond, and cover a period that you are comfortable with.

Much of this has to fall on the people taking the cloud services though. The rush to the cloud seems to stop proper due diligence. Promises of cheaper solutions are so enthralling that I think people often forget to check the T&Cs.

What I've generally found is that when you apply all of the additional controls and measures to ensure you and your data is protected to a comfortable level, the "its cheaper" argument is usually lost, or at best it becomes break even.

The key to taking on any cloud service is not to see it as a cheaper way of doing business - and instead to ensure you measure the benefits properly. If its still beneficial to move, then do so. If not, reassess and return to market.

Thanks (0)
Replying to User deleted:
By Hugo Fair
10th Feb 2022 14:28

Focusing on the Cloud bit ... in essence no-one should believe that doing things properly (which in this case includes securely) will save money - it doesn't!

And with regard to the 'everything digital' movement, last week's New Scientist had an interesting piece - which included:
"if you want to preserve information put in on paper, or better still, vellum (which can be read 1000 years later). There is no current technology medium & format that claims to have a shelf-life of over 20 years and, if you think back over the last 20 or so years, you'll find even that very optimistic"

Most providers of 'things digital' (products or services) have a 'vision' that only extends forward for 5 years or less. They are providing disposable offerings that are fine if, for instance, you regard accounts simply as a scratch-pad for figures - but of no use if, for another instance, you are being asked for documentation on share transactions (or leases or ...) that took place 30 years ago.

Thanks (1)
Replying to User deleted:
By creamdelacream
10th Feb 2022 15:15

This isn't the fault of 'cloud', it's the fault of these companies not having proper measures and procedures in place for something like this. It was a very unsophisticated portal that was hacked, not 'the cloud', and information stored locally can just as easily be hacked or the victim of ransomware without measures in place. I hardly think you can compare this to proper cloud providers who have proper security measures and backups etc. and say this isn't what was promised LOL

Thanks (0)
By chrisjbrown
09th Feb 2022 15:36

This must be extremely frustrating and worrying for many Nixon Williams clients, and rightly so.

We are based up the road from their office in Thornton-Cleveleys. So if there are any clients that need assistance from us to get their accounts or tax up to date, our team is happy to do what we can to help them.

Just email us at: [email protected]
Brown & Co

Thanks (0)
By bobsto12
10th Feb 2022 09:56

I'm a parasol contractor. They denied initially that personal details had been leaked despite warnings on trust pilot that our details were for sale on the dark web.
It makes me realise how vunerable the country is to a cyber attack. We like to think that our government has defences in place to stop any thing catastrophic happening but maybe that's what the Americans thought before Pearl Harbour in 1941?

Thanks (1)
By johnjenkins
10th Feb 2022 10:05

MTD should be a piece of cake for the Hackers then.

Thanks (2)
Replying to johnjenkins:
By Hugo Fair
10th Feb 2022 14:14

Yeah, if you like terrifying yourself.
Just imagine a 'creative' hacker who likes a bit of blackmail and demands immediate payment of £x (almost certainly in crypto currency to an anonymous wallet) - else they'll re-submit your tax returns (and most certainly not to your advantage)!

Thanks (1)
Replying to Hugo Fair:
By johnjenkins
10th Feb 2022 14:33

From pawn sites to MTD in one easy button.

Thanks (1)
By AndrewV12
24th Feb 2022 13:06

Extract above
“They [the clients] have no access to data. They don’t know if their VAT returns, self assessment or PAYE have been filed,” said one firm owner. “Their data has been lost and their previous firm can’t provide professional clearance. I’m having to reconstruct figures from last year’s accounts.”

I would be interested to know when the clients were first told about the data breach, similar to other breaches the first the clients know was about the data breach was knock on problems with inaccurate explanations given.

Thanks (0)