Professional services firm Arup told employees that its third party payroll provider had suffered a “cyber security incident” on January 12. The payroll provider was the victim of a ransomware attack, meaning files were copied and encrypted, before being held to ransom in order to access the data.
Arup’s website says their site at South Queensferry is home to more than 150 planners, engineers, digital experts and technical advisors.
Among the data compromised are first name, surname, bank account number, bank sort code, national insurance number, date of birth, gender and address. Anyone employed by Arup since November 2018 could be affected.
The incident has been reported to the Information Commissioner's Office and law firm CEL Solicitors has received enquiries from Arup staff.
One employee said: “It’s incredibly worrying to know that such personal information as my bank details and address have been accessed by these cyber criminals, especially in the current climate.
“We won’t know if or when we could feel the effects of the hack, so it’s extremely distressing to have a feeling of such uncertainty or vulnerability.”
Mark Montaldo, director at CEL Solicitors which specialises in data breach, said: “It’s essential that firms – of all sizes – take action to make sure their data protection processes are watertight.”
Staff at Arup have been instructed to contact their banks and check there has been no unexpected activity. They have also been offered free access to an identity protection service.