ra2 studio - stock.adobe.com

Delayed pay: Umbrella company cyber attacks disrupt salary payments to thousands of contractors

Thousands of contractors across the UK are anxiously waiting to see if their payroll cycles will be disrupted for a second week, after two of the umbrella industry's biggest players were targeted by cyber criminals

Thousands of contractors across the UK are facing a second possible week of payment delays, following separate cyber attacks on two of the umbrella industry’s largest players.

Brookson Group and Parasol have both been forced to proactively disable client-facing systems and minimise their online presence as a result of the attacks, while trying to maintain payroll runs for the tens of thousands of contractors who they employ.

Social media sites Twitter and LinkedIn have been awash with complaints from contractors who have experienced delayed payments as a result of these incidents, with some receiving far less pay in their wage packets than they were expecting.

At the time of writing, the websites for both companies stated they were down for maintenance, with their most recent status updates confirming work to restore their systems remains ongoing. 

Parasol was the first of the two company’s to be targeted, with anecdotal reports suggesting its systems were hit on Monday 10 January 2022. In its latest status update, dated 19 January, it said it was “still in the early stages” of investigating the incident, but confirmed it has “temporary measures” in place to ensure its contractors are paid.  

In a follow-up email to its contractors, seen by Computer Weekly, the company said it should be in a position to resume “normal payroll runs” from Thursday 20 January, after the attack left it unable to access contractor time sheets and other resources it uses to calculate how much its contractors should be paid. 

“We do remain unable to apply personal pension contributions and expenses until further notice. We anticipate that any adjustment that needs to be made in relation to advanced payments will be made during the next week,” the email update added. 

Brookson, meanwhile, confirmed the attack on its systems occurred on the evening of Thursday 13 January, and in its most recent email to contractors assured them that its “remediation plan” is being “progressed as urgently as possible” and will include “activating elements of [its] technology stack in a specific sequence throughout the week”.

A suspected case of ransomware

Neither company has publicly shared details about the type of attack their systems have been subjected to, giving rise to speculation that both Parasol and Brookson may have fallen victim to a ransomware attack.

If so, it would not be the first umbrella company to be allegedly targeted in this way. Several months ago, the Giant Group payroll processing company was subject to a suspected ransomware attack that prompted it to proactively suspend its entire operations, following the discovery of suspicious activity on its network.

In echoes of the attacks on Parasol and Brookson, thousands of contractors working for Giant Group experienced delayed and late payments, and ran into difficulties when trying to contract the firm to chase their missing wages in the week that followed.

As reported by Computer Weekly at the time, IT security experts said the speed of the outage and the lengthy time it took Giant Group to recover from the attack heavily suggested the company had been targeted by ransomware-peddling cyber criminals.

Speaking to Computer Weekly on condition of anonymity, a cyber security consultant with experience of working within the financial services sector said that there are several markers about the attacks on Parasol and Brookson that strongly indicate the involvement of ransomware here too.

“It is taking a long time to recover the systems...if it was a simple fault, they would find it and fix it. If it was a data loss, they would restore it. These things should be part of their recovery playbook,” the source said. “The longer the recovery takes, the more speculation builds that there is something bigger afoot here, and that could be ransomware.”

And it is not difficult to work out why an umbrella company might prove to be an attractive target for a ransomware attack, the source continued.  

In the wake of the government’s ongoing efforts to clampdown on tax avoidance within the contractor community, through the roll-out of the IR35 reforms to the private and public sector, the number of individuals working through umbrella companies has soared.

This is as a result of companies seeking to side-step the reforms by telling contractors they can only continue to work for them if they agree to provide their services through umbrella firms, which assume responsibility for paying the contractor their wages.

As the number of contractors engaged through umbrella companies has grown, the amount of money passing through these payroll processing entities has risen markedly, making these firms a prime target for ransomware-like attacks.

“An awful lot of umbrella companies have suddenly become cash-rich on the back of these reforms,” said the source. “If you are a cash-rich company and haven’t been the subject of a ransomware attack, that might just be because it’s not your turn yet.

“The umbrella market has done very well out of the IR35 reforms, and will have its hands on a lot more money than ever before. If I know that, then people who are interested in cyber attacks will know that too. And now umbrella companies are ripe candidates for ransomware attacks, but they wouldn’t have been before.”

In the wake of the attacks on Parasol and Brookson, the entire umbrella sector has been warned to take protective action to safeguard and secure its systems and data in the event of further incidents occurring.

The Freelancer and Contractor Services Association (FCSA) told its members, which include Giant Group, Parasol and Brookson, to undertake “comprehensive and regular reviews of their system security” and their processes for “safeguarding of personal data” in response to the attacks.

Umbrella companies are renowned for operating on wafer thin margins, and Computer Weekly’s source said the “sophistication and current state of their cyber defences” is likely to reflect this.

“The sophistication of any company’s cyber defences depends on money, planning, infrastructure, process – and none of that comes cheap. And the bigger companies probably tend to have the best defences,” the source said.

“[These umbrellas] are not small companies...they will have their own IT and security teams, and they probably all host services on Amazon Web Services or Microsoft Azure, and will take the benefit of the native security and the control [those platforms offer].

“What you have to wonder is how much money and sophistication they are able to spend on things like endpoint access, defending themselves against perimeter attacks and that type of thing.

“That stuff costs a lot of money, and the amount of money the financial services giants spend on this goes up every year because it has to. It’s expensive to put a strong lock on the door, and one has to wonder if umbrellas have the money to do that,” the source added.

Aside from money, there is speculation within the wider contracting community that the attacks could be the work of an individual or group of people who hold a grudge against the umbrella company community.

The sector is regularly the subject of unfavourable press coverage, in the wake of reports about non-compliant firms making unlawful and unnecessary deductions from the pay of the contractors on their books, with MPs releasing a report last year calling for the sector to clean up its act.

“There is speculation these attacks are part of a wider vendetta against the umbrella industry, and that specific firms are being targeted in order to discredit them,” Julia Kermode, founder of independent worker consultancy IWORK.co.uk, told Computer Weekly.

“The sector has always been Marmite, but even if you fall on the side of hating umbrellas, these cyber attacks are on another level. In my opinion, the criminals behind [them] are more likely motivated by the very large sums of money at stake from thousands of contractor salaries, rather than someone aggrieved about the industry.”

Computer Weekly has spoken to numerous contractors over the course of this week about what they have made of the differences between how some of the firms involved have moved to keep their contractors up to date with what is going on.

Brookson Group has been praised for how quickly it went public with the news that it had suffered a cyber-attack on Thursday 13 January – when it divulged the news in a public LinkedIn post the following day.

As reported by Computer Weekly at the time, the firm confirmed it had suffered an “extremely aggressive” cyber attack in the post, and had – as a result – referred itself to the UK National Cyber Security Centre (NCSC).

In a follow-up post several hours later, authored by the company’s CEO, Brookson said an analysis of the incident showed that no data belonging to any of its 15,700 clients had been compromised in the attack.

At the time of writing, Brookson’s websites were still showing as down for maintenance, but one of the firm’s contractors – who spoke to Computer Weekly on condition of anonymity – said he appreciated how “transparent” the company has been in the wake of the attack.

“The CEO has taken to LinkedIn to make announcements [about what is going on], which I think is a very brave and bold move,” said the contractor. “I have been worried about what has been stolen, removed or blocked by the people responsible, but right now [the company] still has my trust.”

Communication breakdown and delays

Meanwhile, the Parasol companies, which include Nixon Williams and SJD Accountancy, have come under fire from contractors on social media for taking so long to publicly acknowledge what was going on, having initially blamed the payment delays and system access issues on an unspecified outage.

To this point, Parasol contractors told Computer Weekly they first realised problems were afoot at the firm on Monday 10 January 2022, but it wasn’t until Wednesday 12 January 2022 that the company published a statement on its social media pages to acknowledge the issue.

It then took it until Friday 14 January to confirm that it had fallen victim to a cyber attack, in an email to its contractor client base.

After repeated requests for assurance from contractors on social media, this email also marked the first time the company confirmed no personal data had been compromised during the incident.

“We have an experienced team working tirelessly to resolve this matter in a safe and controlled manner,” the email said. “Balancing speed verses safety is crucial in circumstances such as these. We have a strong, dedicated IT, security and infrastructure team working around the clock, alongside our pre-existing security specialists.”

Despite these assurances, Computer Weekly has spoken to several Parasol contractors who said they are preparing to leave the company and join an alternative payroll provider instead, citing how the firm has handled the fallout from the attack.

Among them is an IT contractor specialising in the provision of payroll services, who described the firm’s communication and disaster recovery since the attack happened as dire. Like thousands of other contractors, he received last week’s pay later than expected and is now waiting to see if he will be paid on time this week.

“They have been saying since [Friday 14 January] that normal payroll service should resume in 48 hours…but nothing is sorted. It’s all still down, and the communications are still dire through their online chat and it is still taking ages to get a response on the phone,” he said.

“I am not planning on staying with Parasol and they made a mess of my payroll and tax when I moved agency to a new role in a new company late last year as well. I was thinking of leaving anyway, and this has just sealed the deal for me.”

The company has frequently acknowledged in its emails to contractors over the course of this week that the level of support and contact it has offered throughout the incident has been lacking, owing to the fact large portions of its systems have been offline. 

“We know we are not providing our usual levels of support to you. Our system constraints are such that this has been impossible,” the company said in an email to contractors on 14 January 2022. “We are very mindful that you want us to keep you well informed on this matter; that you want to be able to contact us; and, as importantly, you need to be paid.”

Another contractor, who spoke to Computer Weekly on condition of anonymity, has been a member of Parasol since the summer of 2021, said they are also in the process of weighing up whether or not to jump ship too.

“As a result of Parasol’s handling of this incident – and the way in which they have treated their contractors – I will not be using their services in the future. I have lost all trust in Parasol, [and] they have spectacularly failed my expectations as a customer,” they told Computer Weekly.

“The scenario in which I would consider remaining with Parasol would be if they shared their major incident report and details of any improvements to the resiliency and security of their IT infrastructure, as well as their disaster recovery plans.

“Obviously, they are not going to share that due to the security implications, which is ironic, and I therefore have no confidence that we would not see a repeat of this incident in the future.”

IWORK’s Kermode said any contractors that are thinking about moving to a new umbrella need to bear in mind that they might have to wait a while before they do, depending on the terms and conditions set out in their employment contracts with Parasol.

“It is likely to be an employment relationship, meaning that contractors will need to resign and adhere to any required notice period,” she said. “Also, contractors will need to ensure that any new umbrella that they choose is acceptable according to any preferred supplier list that the recruitment agency or end-client has in place.”

As for what contractors should be looking for when seeking out an alternative provider, it is difficult for any umbrella to offer assurances that a cyber attack will never befall them, because such incidents can happen to any business, said Kermode.

“That said, contractors will certainly be wise to ask about what protections are in place [during their vetting procedures],” she added.

Read more about cyber attacks on umbrella companies

Read more on Datacentre disaster recovery and security