Former and current employees of a conveyancing giant have learned that their bank details, date of birth and medical information may have been obtained by hackers in a ‘security incident’ nearly a year ago.

Simplify, which describes itself as the UK’s leading independent conveyancing and property services group, suffered a major IT systems outage last November. Details of the incident have emerged in a letter seen by the Gazette from Simplify’s chief executive, David Grossman, to former and current employees whose files containing personal information may have been accessed.

The letter states: ‘On 7 November 2021, we began to experience some IT disruption to part of our network, Our IT team soon established that this was the result of a security incident during which an unauthorised third party gained access to parts of our system for a limited period of time. We immediately disconnected all systems to contain the incident (which was something we had plans in place for). With the help of professional security experts, we contained the incident and worked tirelessly to restore our systems in a safe and robust manner as quickly as possible.’

Simplify undertook a ‘detailed forensic analysis’ to find out what files may have been accessed by the unauthorised third party and reviewed those files for personal information. ‘Investigations like this are complex and take a significant amount of time to complete, which is why we were unable to contact you until now.’

The letter says the unauthorised third party focused on certain internal Simplify files. ‘The vast majority of these files did not contain any personal information. However, some files held information about our colleagues and former colleagues.’

As well as standard employment information, Simplify’s investigation found that some files contained information including bank account information, contact details, date of birth, health/medical information, and tax/national insurance number.

The letter says: ‘Whilst it is possible that this information could be used for identity theft or fraud, the comprehensive steps Simplify took in response to the incident and the fact that the information was unstructured in nature (i.e. not held in a format that is easy to access or read) significantly reduces any such risk.

‘Furthermore, following close monitoring, we are confident that none of your information has been shared online or otherwise misused following the incident. We also believe that the risks of this happening at any time are minimal. We have a security expert monitoring the internet and there is no evidence that anyone is in possession of your data.’

A spokesperson for Simplify said: 'In late 2021 Simplify experienced IT disruption that was found to be due to an unauthorised third party temporarily gaining access to a part of the IT systems, relating to certain internal Simplify files. By early 2022, our services had returned to normal for clients both existing and new, with our conveyancing colleagues back up and running on core systems and actively working on cases.

'Since then, and supported by a third-party team of specialists, Simplify has undertaken a detailed investigation and analysis of the incident and the files. The vast majority of these files did not contain any personal information. However, some files held information about our colleagues and former colleagues, and we have now identified that some of their personal data was involved. In line with our legal and regulatory obligations, we have taken steps to notify those people whose personal data was involved in this incident and provided appropriate guidance and support.

 'We take data security extremely seriously and have been working with experienced IT forensic partners to further strengthen our systems and help prevent future issues.'

 

This article is now closed for comment.