The Optionis data breach is worse than you can imagine. Here's why.

"Useful passwords" is not a document to leave lying around...

Thousands of email addresses and phone numbers. Over 1,000 scanned passports. National Insurance numbers. P60s. Detailed bank statements. Contracts. Salaries: The Optionis data breach has seen a treasure trove of information useful to the maliciously minded thrown by hackers onto the Dark Web for anyone to see.

Clearly responsibility for this starts with the hackers, who use the impact of this kind of breach -- and increasingly frequently the media coverage around such incidents -- to negotiate a ransom.

Yet the data breach begs serious questions of the “umbrella” company and its subsidiaries which provide “award-winning tax, umbrella and accountancy solutions” for thousands of contractors and small businesses – including why so much sensitive data, ripe for abuse, was stored with apparently little or no protection.

It also reveals appalling security hygiene across many of Optionis’s companies, with staff seemingly routinely storing credentials in clearly flagged Word or Excel documents. Conveniently for attackers, these were titled, among other examples, “useful links and passwords”, “passwords”, and “useful passwords”.

Over 48 documents with “password” in their title are included in the data dump – including one that gives away server admin username and password combinations, router login details, and social media credentials.

A screen grab of a document in the data dump. Storing your passwords, clearly signposted, in an unprotected document like this is not good practice.

Documents reviewed by The Stack reveal the use of “PASSWORD” and “Password123” on some accounts.

Other data seen by our team included a contract for someone working at BAE Systems Global Combat Systems and another contracted to Airbus – details which, although limited (we did not cross-reference them against the passports however), could potentially lend themselves to targeted phishing campaigns against the highly sensitive defence and aerospace companies.

Another cybersecurity contractor was understood to be left livid at having their personal details exposed in the Optionis data breach, and concerned that exposure could put their security clearance at risk.

(A small sample of people reached by The Stack were unaware that their data had been exposed.)

Optionis Data Breach. What happened?

Optionis Limited is the parent company of numerous companies: some, like Parasol, SJD Accountancy and Nixon Williams, listed under “our brands” on its website; others, like subsidiaries of its subsidiaries (e.g. specialist tax advisory and accountancy ARNSCO, seemingly not. The data breach comes after Parasol Group was reported hacked in January 2022 in an apparent double-extortion ransomware attack (in which the attackers render files on company servers inaccessible and also leak data in a bid to receive a ransom) that crippled IT systems.

An Optionis Group spokesperson told the Freelance Informer: “We can confirm that we recently suffered a cyber security incident. With the help of external cyber security experts, we have been conducting an urgent investigation and we now believe that those responsible have released some information online that was extracted from our systems. We are investigating the precise nature of this information as a priority and are communicating with those who may have been impacted. We would like to thank our partners, clients and employees for their ongoing patience and support as we continue to respond to this incident.”

Follow The Stack on LinkedIn

In relation to late payments for umbrella company workers, the spokesperson added: “It has always been our first priority to ensure all our umbrella employees are paid as soon as possible. Our payroll system is now fully operational, which means all employees are receiving pay calculated in the usual way, and on their normal pay day. Any outstanding amounts owed are also being reconciled.”

Not a hard one to guess...

One contractor, whose accounts were handled by Nixon Williams, said they were still unable to submit invoices for work.

They told The Stack: "The updates from them have been extremely poor and sporadic and have provided little in the way of detail of the attack, what has been leaked and who is likely to be affected. There has also be mention of data not being backed up correctly; at present my account is stuck in the last financial year and as yet there is no mention of this being fixed... [their Vantage application] essentially locks you out at the end of each financial year until you submit bank statements and other support info, once they're happy they unlock the next year.

"But when it is locked like mine is currently, you are unable to update transactions, see your tax liability, create invoices, submit expenses, see payslips or create dividends. As an example if I want to submit an invoice today, I will put today's date on it [but] when I submit it the app will reject it as today's date is not within my current financial year, as the app thinks that I am still on the year-end May 2021.  Essentially I have had no access to the app from the start of January to now. The year-end issue has come up a few times in the past but has been fixed within a few hours, so never been an issue, but I suspect that they're not sorting it out now as data has been lost."

They added: "[Other than top-level emails from the CEO] there has been no attempt to reach out to me directly. A number of my emails in January about my self-assessment have gone unanswered, needless to say, it hasn't been actioned or submitted. One email that did get a response was one that politely informed them how incompetent they have been with my data and that I [may] wish to terminate my arrangement with them."

An ICO spokesperson said: “Optionis has made us aware of an incident and we are making enquiries”.

The number of companies and contractors using "umbrella" companies to handle their payroll and other services has soared in the wake of "IR35" tax reforms, which made employers responsible for determining the tax status of those they hired through intermediaries. This was rolled out for the public sector in April 2017 and to medium and large organisations in the private and third sectors in April 2021. Some 500,000+ contractors are now believed to be using umbrella companies. Optionis alone claims to have some 28,000 clients. Optionis booked revenues of £435 million for 2020, its February 2021 annual report shows, but still reported a net loss of £6.9 million. Public documents suggest the company group has cyber liability insurance with Hiscox.

Affected by the breach? Strong opinions on it? Feel free to get in touch by email or Signal.

Follow The Stack on LinkedIn