What lessons can workforce solutions companies draw from a recent ransomware attack that likely affected 250,000 people?
Staffing and payroll companies have been hit by a number of high-profile cyber attacks over the last year, with the incidents having been – needless to say – stressful and potentially existential for some of those involved.
These attacks are more widespread than many realise; understandably, affected companies will not always want the world to know they have been attacked. But the risk is not going away.
Companies involved in workforce arrangements deal with lots of sensitive personal data and will continue to be very attractive targets for cyber criminals. In addition, payroll companies are coming under increasing scrutiny from their customers given the high-profile attacks on them, such as the recent UK Ministry of Defence payroll data breach, and the increased focus in general on supply chain liability.
Ransomware attack
A staffing company providing personnel to clients in the UK and overseas became aware that it had suffered a cyber attack when parts of its system became suddenly unavailable due to encryption by ransomware. Although the business was able to restore its systems rapidly from backups, subsequent investigations discovered that the data of approximately 250,000 individuals were potentially affected.
The business decided not to interact with the ransomware group and made precautionary notifications to regulators and potentially affected data subjects. Threat surveillance by large customers and the National Cyber Security Centre subsequently identified that the potentially affected data had been exfiltrated and dumped on the dark web.
Close legal support
The staffing company immediately instructed lawyers – Osborne Clarke in this case – who prepared the initial notification to relevant regulators, including the Information Commissioner's Office (ICO). A forensic technical expert was also instructed to contain and investigate the incident under legal privilege. The lawyers also liaised with the company's insurers in relation to its cyber security cover.
The company's board was advised over the practicalities and legality of negotiating with the ransomware group and helped in reaching a strategy on how to proceed.
Client and supply chain issues were also a focus. The company was advised on its contractual obligations to clients to ensure that civil liability risk was minimised and commercial relationships were preserved. This involved providing advice on significant claims for indemnity by clients for their costs of dealing with the incident.
Data protection obligations were addressed. The company was advised in understanding the potentially affected data, assessing the risk to data subjects and properly documenting their assessment and decision-making process.
Once a decision was made to notify data subjects, the company was assisted with drafting notification correspondence, managing the notification exercise in the UK and overseas and communications strategy. The company was then assisted in a protracted ICO investigation; obviously, there is a risk of serious reprimands or fines or both in these situations. Ultimately, the investigation resulted in no further action against the company.
Some of the individuals notified made claims for compensation. Lawyers helped the company resolve those claims quickly and cost effectively without making compensation payments. Post-incident advice was provided to the company on its data storage and retention policies, contractual obligations and recourse against customers, and suppliers and incident response training
Minimise problems in advance: a checklist
What steps should companies involved in workforce solutions take to minimise problems in advance?
- Carry out incident response preparation and planning.
- Carry out contractual risk management including the review and management of supply chain exposure – suppliers' cyber risk may become the companies' cyber risk.
- Prepare risk assessments for the processing and storage of special category data, and reviewing or writing cyber security policies.
- Carry out readiness exercises, including war gaming and lessons-learned assessments.
- Carry out cyber insurance reviews and obtain legal advice on adequacy of coverage.
Osborne Clarke comment
It also worth remembering for those planning merger and acquisitions or fundraising projects, when that market fully returns in the next 12 months, preparedness for a cyber attack is likely to be a main focus for due diligence – and investors are aware of this risk area in the workforce solutions sector.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.