Hack at payroll services provider compromises employees’ bank details and other personal information

Thousands of Arup staff have been warned to monitor their bank accounts after the firm confirmed employees’ personal details have been put at risk by an attack on a third-party payroll services provider.

Architects, engineers, planners and project managers at the firm were told that a ransomware attack on Symatrix had exposed their names, addresses and bank account details to hackers.


Source: Shutterstock

Arup is the latest firm in the industry to be caught up in a ransomware attack

Arup, which employs more than 6,000 staff in the UK alone, was informed of the breach last month although the attack is understood to have taken place in January. Arup created a specialist team to investigate the extent of the attack before telling staff.

But CEL Solicitors, which is working with some of the affected staff, warned that anyone employed by Arup since November 2018 should contact their bank, tell them about the incident and check there has been no unexpected activity.

Mark Montaldo, director at the firm, which specialises in data breach cases, said cybercriminals were becoming increasingly sophisticated.

“This example of Arup’s also demonstrates how they are willing to impact a global company via a third party which, in this case, is the payroll provider,” he said.

“From recent cases, we can also quite clearly see how the perpetrators do not discriminate against industry, with no sector being 100% safe from such fraudulent activity, so it’s essential that firms – of all sizes – take action to make sure their data protection processes are watertight.”

An Arup spokesperson confirmed the firm was “working closely” with Symatrix to establish the extent to which its staff had been affected.

“Our commitment to data security remains a priority and we are working at pace to resolve the issue,” she said.

A Symatrix spokesperson confirmed that its internal network had been the target of a cyberattack on 12 January and that the Information Commissioner’s Office had been informed.

“Our IT experts took immediate steps to contain the incident, including shutting off our internal servers, and engaged a dedicated team of IT forensic experts to conduct a thorough investigation,” the spokesperson said.

“Our investigation concluded in March and we notified a small number of Symatrix customers who were impacted in the incident to let them know what happened and the support we were offering. Our systems are restored and we are servicing our clients as normal.”

Last year Zaha Hadid Architects was targeted by cyber attackers who used ransomware in a bid to extort money from the practice in the early weeks of the first national covid-19 lockdown, when all of the firm’s 300-plus staff were working from home. Bouygues, Interserve and Bam were also targeted by cyber criminals last year.