Hack at third-party payroll-services provider compromises employees’ bank details and other personal information

Thousands of staff at Arup have had their personal details put at risk in a cyber attack on a third-party payroll-services provider.

Architects, engineers, planners and project managers at the firm were told that a ransomware attack on Symatrix had exposed their names, addresses and bank account details to hackers.


Source: shutterstock

Arup, which employs more than 6,000 staff in the UK alone, was informed of the breach last month although the attack is understood to have taken place in January. Arup created a specialist team to investigate the extent of the attack before telling staff.

Last year Zaha Hadid Architects was targeted by cyber attackers who used ransomware in a bid to extort money from the practice in the early weeks of the first national covid-19 lockdown, when all of the firm’s 300-plus staff were working from home. Bouygues, Interserve and Bam were also targeted by cyber criminals last year.

CEL Solicitors said it was supporting some Arup staff following January’s cyber attack on Symatrix and warned that anyone employed by Arup since November 2018 should contact their bank, tell them about the incident and check there has been no unexpected activity.

Mark Montaldo, director at the no-win, no-fee firm – which specialises in data breach cases – said cyber criminals were becoming increasingly sophisticated.

“This example of Arup’s also demonstrates how they are willing to impact a global company via a third party which, in this case, is the payroll provider,” he said.

“From recent cases, we can also quite clearly see how the perpetrators do not discriminate against industry, with no sector being 100% safe from such fraudulent activity, so it’s essential that firms – of all sizes – take action to make sure their data protection processes are watertight.”

An Arup spokesperson confirmed the firm was “working closely” with Symatrix to establish the extent to which its staff had been affected.

“Our commitment to data security remains a priority and we are working at pace to resolve the issue,” they said.

>> Also read: ZHA warns architects to be vigilant after falling prey to cyber attack


A Symatrix spokesperson confirmed that its internal network had been the target of a cyber attack on 12 January and that the Information Commissioner’s Office had been informed.

“Our IT experts took immediate steps to contain the incident, including shutting off our internal servers, and engaged a dedicated team of IT forensic experts to conduct a thorough investigation,” the spokesperson said.

“Our investigation concluded in March and we notified a small number of Symatrix customers who were impacted in the incident to let them know what happened and the support we were offering. Our systems are restored and we are servicing our clients as normal.”