Optionis Group is denying responsibility for a data breach that led to tens of thousands of contractors having their personal information shared on the dark web earlier this year, a leaked email seen by Computer Weekly suggests.
The group, which owns the Parasol umbrella company and several contractor-focused accountancy firms, is the subject of a group action that is seeking compensation for contractors whose personal data was compromised by the breach, which came to light in February 2022.
The action is being overseen by London-based law firm Keller Lenkner, and was launched soon after it emerged that Optionis Group had suffered a data breach linked to a suspected ransomware attack on its systems five weeks before.
As reported by Computer Weekly in February 2022, the data breach resulted in a sizeable dump of personal information emerging on the dark web, belonging to contractors who were either employed by Optionis’s umbrella companies or relied on its accountancy firms.
Despite assurances from Optionis that it would notify any contractors whose personal information had been compromised as a result of the breach in a timely manner, Computer Weekly spoke to several IT contractors in February 2022 who had decided to access the data dump themselves to search for their own data after growing frustrated at the time it was taking Optionis to do it.
During the intervening months, the Keller Lenkner group action has rumbled on, with the law firm issuing a statement in April 2022 confirming that its investigation into the breach showed it had grounds to accuse the company of being in “flagrant breach” of the UK General Data Protection Regulation (GDPR).
The statement also said victims of the breach had a “solid and winnable case”, prompting Keller Lenkner to issue a notice of potential claim against Optionis.
However, it appears that Optionis disagrees, based on an email – seen by Computer Weekly – sent in recent days by Keller Lenkner to contractors participating in its group action.
“In our last update, we advised… we had written to Optionis to seek more information about the cyber attack and to ask for copies of the various documents, such as copies of any reports produced about the cause of the cyber attack which will assist us in determining the next steps of the claim,” said the email.
“We have now received a response from solicitors Pinsent Mason, who are working for Optionis; they have denied any liability to pay any compensation and refused to provide the requested documents.”
As a result, the Keller Lenkner email confirmed that the law firm is now preparing a “letter of claim”, to which Optionis will have 21 days to formally respond. “Once we have their response, if they maintain a denial, then we will have to prepare to issue the claim at court,” it said.
Given the 21-day timeframe for a response from Optionis, the email concluded by stating that the law firm expects to be in a position to update the group claim participants in mid-to-late June 2022.
In a statement to Computer Weekly, Keller Lenkner verified the content of the email, and said Optionis Group’s legal team has issued a “strong blanket denial of responsibility for the cyber attack and subsequent data breach”.
It added: “We are preparing a ‘letter of claim’ on behalf of those affected by the data breach and if the claim is not resolved, we will make a full submission to the court. On behalf of our clients, we maintain that the exposure of their data, both personal and sensitive, has caused significant issues and distress.”
Computer Weekly contacted Optionis Group for a response to Keller Lenkner’s claims that it was refusing to hand over documents about the cyber attack and was denying responsibility for the incident.
The company said in a statement to Computer Weekly: “Since the cyber security incident we suffered earlier in the year, our top priority as a business has been investigating the precise nature of the information that was copied from our systems during the attack.
“We have committed considerable resources to this process and there is currently a substantial team conducting a review of the impacted data that will allow us to identify where there is a high risk to any individual.
“This has been a long and complicated process; however, it remains our absolute priority to establish the impact on personal data and to communicate with those affected. We would like to thank our partners, clients and employees for their patience as we continue to respond to this incident.”