Hacked Optionis isn't denying the dark web now hosts 400,000 of its files

Optionis Group has declined to rule out to ContractorUK that the hack of its computer systems has left up to 400,000 of the contractor conglomerate’s files circulating in the wild.

Signed up with the group’s Parasol, SJD Accountancy, ClearSky Contractor Accounting or Nixon Williams, Optionis customers are yet to have the 400k figure confirmed in writing.

But having surfaced in Tweets which have now been deleted, the ‘400,000-file’ data dump was said to include FreeAgent passwords, social media passwords and Parasol timesheets.

'Treasure trove'

Since the claims by the Twitter user (who has taken their account offline), The Stack reported that an Optionis “treasure trove” of information from the hack is available on the dark web.

The business-tech mag said the dataset included 1,000 scanned passports; the employment contracts of individuals working at BAE, Airbus and GCSM, and “detailed bank statements”.

Significantly, both the reportage and the deleted tweets agree that passwords for Optionis systems are contained in a plain text Word document entitled “Useful links and Passwords.”

'Password123'

Worse still, the passwords for one of the contractor conglomerate's “major systems” was said (by the Twitter user) to be protected by the password ‘Password123.’

And one document was said to contain Optionis’ server admin usernames, passwords and router log-in details.

But reportedly, there are 47 additional documents with similarly sensitive information.

Asked to respond, and presented with the claim that the total haul of data copied and leaked from its systems amounts to 400,000 files, a spokesperson for Optionis didn’t get specific.

'Take time'

“We are in the process of reviewing all of the data that has been leaked by the cyber-criminal gang, in order to be able to notify individuals in line with our legal obligations.” 

The Optionis spokesperson continued in a statement to ContractorUK: “This review is a complex process which will inevitably take time.

“But we are putting significant resources behind it, and working with specialist IT experts to ensure that it is done as quickly and efficiently as possible.”

'400,000 files in one big dump'

James Poyser of Off-payroll.org isn’t surprised that it’s ‘taking time’ for Optionis and its companies to work out what data was compromised.

“Why is it taking Optionis so long to give you the details?” he began in a post addressing affected contractors.

“It's because of the size of the data. 400,000 files in one big dump -- there's no handy index! It's got to be examined file by file. No doubt this is what Experian will now be doing.”

'What the hell is going on'

A chartered accountant, Mr Poyser was referring to Optionis using an email on February 7th to inform affected parties that it had enlisted the data firm for cyber security advice.

But wrongly according to affected contractors, that’s one of the very last emails Optionis has sent.

A ContractorUK reader signed-up with SJD said: “They need to send out communication about what the hell is going on. The online accounts system seems to be back up online, but there has been no communication to that effect.

“And all of their phone numbers are going to a recorded message; the live chat fails to connect and I’m still waiting three days for a response to an urgent email regarding my VAT return. Oh, and I can’t seem to be able to directly contact anyone from the company whatsoever.”

'Migrated to another system'

The contractor was speaking on Monday afternoon, but since then, another Optionis customer says she has received an email from one of the group’s managers outlining progress.

“The email says that our accounts have been migrated to another system and can I log-on to that system,” she said. “But there’s no details of how to access the new system. Ridiculous.”

Some customers of SJD Accountancy are equally frustrated -- and worried.

'Chaos'

Speaking on condition of anonymity, one SJD client said: “Up to now, I was able to use a good old spreadsheet as an alternative to their cloud portal.

“They allowed that option for a while. But now they have cancelled that and are forcing customers to use online systems. Given the chaos at the company, I’m concerned about that.”

A legal adviser to the contractor sector is sympathetic to the SJD customer’s concerns.

The adviser told ContractorUK: “Personal data must be processed in a secure manner, and appropriate technical and organisational measures must be implemented, so as to ensure a level of security appropriate to the risk.”

'Loyal to Parasol'

But even if such implementation was achieved by Parasol tomorrow, a contractor recruitment agency says that would still be too late.

“We have stopped referring contractors to Parasol out of necessity," the recruitment agency began.

“About 30% of our contractors have stayed loyal to Parasol, which we respect, and certain Parasol team members sound devastated about what has happened."

'Contractors not willing to work via Parasol'

Specialising in digital and IT placements, the agency continued: “But we have struggled to get in touch with anyone at the umbrella at some points.

“And so we are no longer mentioning Parasol as a potential umbrella partner to new contractors. However, we are having contractors bring them up to us directly -- to say they are not willing to work through them.”

As to guidance for affected contractors, cyber security adviser Paul Musson took to LinkedIn: “Submit an FoI request to [email protected] requesting a report of all the data they hold about you, and also state in the FoI asking what data they hold about you was leaked in the cyber-attack they incurred.

“The data-controller has a maximum of 20 days to reply by law. The same data controller email address is stated in the privacy policy for all companies within the Optionis Group. Including SJD , Parasol [and Nixon Williams].”

'Read, subscribe, lock'

From inniAccounts, where Mr Poyser is CEO, similar recommendations are being issued to Optionis customers.

“It's a big dump, so perhaps best to adopt the mindset that your data may be there [among the 400,000 leaked files], and then think about what you can do. Start by reading this Identity Theft advisory from the Information Commissioner’s Office,”

Mr Poyser further advised: “Then consider subscribing to Experian, ClearScore or other identity theft-protection services. They hoover up the data from the dark web -- including the leaked Optionis data hopefully -- and will tell you if there's a match.

“Cifas can also put extra 'locks' on your credit file. Sign up to Companies House PROOF scheme, and keep your eyes open for anything strange. [For example] unexpected tax bills -- which could be fake, changes to registered office address. And change any unsafe passwords.”

'Fed up with SJD'

However, it’s changes to how much some SJD customers pay which is causing concern too.

In fact, the accountancy firm has increased the fee for its ‘dormant company’ service by 59%, in a ‘non-negotiable’ change which saw the extra monies allegedly taken by Direct Debit.

“The dormant [company service] fees were about £46 a month, now they’re £73,” added the “fed up” customer who claims to be looking for a replacement accountant.

“This is a steep price rise which I complained about, but in vain as I was told it wasn’t up for debate. That’s even though dormant company accounts require less admin work.”

'Do these people not have mobile phones?'

Another disgruntled SJD customer reflected last night: “It’s total confusion with SJD.

“My ‘personal accountant’ tells me enter my transactions into the old SJD online system, whereas SJD Support tells me to add the transactions to the new FreeAgent system, where apparently everything had been migrated.”

Asked if he’d tried to seek clarification, the limited company director replied: “You can’t. All phone numbers go to an Optionis answerphone message. Do these people not have mobile phones?! I have requested a phone number where I can speak to someone in person, and nobody has responded. Needless to say, I won't be a customer of SJD’s for much longer.”

The spokesperson for Optionis, which owns SJD, Parasol, Nixon, ClearSky and another accountancy firm First Freelance, said: “We would like to thank our employees, clients and partners for their support and patience while we continue to respond to this incident.”