A hacker used ransomware– a type of malicious software – to hit the global consultancy’s third-party payroll provider, copying and encrypting files before demanding money for their release.
Arup employs more than 6,000 people in its 16 offices across the UK, including around 40 architects.
It follows an attack last year on Zaha Hadid Architects (ZHA) when a computer hacker attempted to extort money from the practice after breaking into its servers and stealing confidential information. ZHA was directly targeted by ransomware which remotely accessed a computer at its London office in April 2020.
According to data breach specialist CEL Solicitors, Arup employees had their personal details, including bank details, address and name, compromised following the attack. It says it has already received enquiries from some staff members seeking advice on the data breach.
Arup alerted its employees to the incident in a letter stating that the payroll provider Symatrix had suffered a ‘cybersecurity incident’ on 12 January.
After being told of the breach on 11 March, Arup set up a specialist team to investigate the extent of the attack before informing its staff. The incident has also been reported to the Information Commissioners Office (ICO).
One anonymous Arup employee affected by the attack who spoke to CEL Solicitors said: ‘It’s incredibly worrying to know that such personal information as my bank details and address have been accessed by these cybercriminals, especially in the current climate when there is enough going on to be worried about.
‘We won’t know if or when we could feel the effects of the hack, so it’s extremely distressing to have a feeling of such uncertainty or vulnerability.’
Mark Montaldo, director at CEL Solicitors said: ‘As cybercriminals become more sophisticated in how they access data, they are able to delve deeper into sensitive information, hacking into bank account details, national insurance numbers and addresses.
‘This example of Arup’s also demonstrates how they are willing to impact a global company via a third party which, in this case, is the payroll provider. From recent cases, we can also quite clearly see how the perpetrators do not discriminate against industry, with no sector being 100 per cent safe from such fraudulent activity, so it’s essential that firms – of all sizes – take action to make sure their data protection processes are watertight.’
CEL Solicitors said that staff at Arup had been instructed to contact their banks and check there had been no unexpected activity.
Montaldo added: ‘It is vital that, if you are employed by Arup, or have been at some point since November 2018, you contact your bank and tell them about the incident.
‘Be on your guard for any unexpected activity and check your bank balance and transactions regularly. The repercussions of a hack like this may not always happen straight away, so it is extremely important to maintain a high level of vigilance.’
A spokesperson for Arup said: ‘We have been informed about a data incident impacting our payroll provider Symatrix and are working closely with them to establish the extent to which our staff have been affected.
‘Our commitment to data security remains a priority and we are working at pace to resolve the issue.’