/ As you may imagine, many cyber security events happen without becoming public knowledge.
However, occasionally, the details become public knowledge. This is a summary of one of those occasions.
For context, the most recent Official statics – published annually by the Department for Digital, Culture, Media & Sport – show that 39% of UK businesses identified a cyber-attack in the last 12 months (made up of 38% of micro and small businesses and 61% of medium and large businesses).
In mid-2022, a cyber security event at a mid-sized recruitment agency became public knowledge. They’ve been around for 30 years, have 40 offices across South West, North West, South East England and Wales and employ around 400 staff. They provide permanent, temporary and contract recruitment across multiple sectors.
This case study summarises what’s known about the event and what the known consequences are.
/ In this case study, we summarise publicly available information about a data breach incident involving a mid-market recruitment agency.
The agency in question was required to report the incident to the ICO and inform individuals whose data was stolen, likely impacting the agency’s brand reputation.
Further, we found multiple law firms that were promoting services to affected individuals, encouraging them to pursue compensation claims with the agency involved; one of which was offering services on a ‘no win, no fee’ basis – suggesting they were confident in successful claims.
The agency may also have faced an investigation from the ICO; however, because they had long held the Cyber Essentials Plus accreditation, we conclude they would have enough evidence to prove negligence was not the primary cause of this breach.
We close the case study by offering practical steps for anyone looking to de-risk their recruitment agency.
WHICH AGENCY WAS IMPACTED?
It is important to stress this could have happened to any agency. Indeed, given the volume of attacks and the natural desire to keep events under wraps, it no doubt has happened (and continues) to many more.
Given this, it seems unfair to name the agency; however, so you can validate the events yourself if you wish, the agency in this case study is Acorn Recruitment Ltd. Shortly after the event, they rebranded to Acorn by Synergie – we examine the timing of this on page six. From this point on, we refer only to “The Agency”.
Sources suggest they took the correct steps in the aftermath of the event.
Atlas Cloud is not affiliated with any parties involved in this case study, we are merely summarising publically available information and making informed assumptions about the consequences of these events. All assumptions are referenced.
/ Here, we detail exactly what happened.
It has been cited in multiple sources that The Agency suffered from what was referred to as “suspicious third-party activity” alongside confirmation suggesting there was a data breach.
What is a data breach?Breaches are where an attacker has accessed a company’s IT system and stolen any personal information that it stores, often to sell it or – if critical to the company itself – it could be deleted and held for ransom.
As a result of a data breach, The Agency (and any company) is legally required to inform the Information Commissioner’s Office (ICO) within 72hrs. Legislation also states if an event is likely to “result in a high risk of adversely affecting individuals’ rights and freedoms“, anyone affected must be informed.
In the next section, we uncover the impact of this event.
WHY ATTACK A RECRUITMENT AGENCY?Breaches are where an attacker has accessed a company’s IT system and stolen any personal information that it stores, often to sell it or – if critical to the company itself – it could be deleted and held for ransom.
IMPACT OF THE EVENT
/ The consequences of the breach begin to unravel.
Sources suggest that The Agency informed the ICO in a timely manner.
They also appeared to have informed affected individuals that they were impacted by the breach, meaning there was a high risk of adversity for them. It was also reported that The Agency employed an external team of forensic cyber specialists to investigate the event and that they were committed to taking additional steps to protect its systems.
Therefore, costs at this stage amount directly from the investigation required and the additional protective factors identified for implementation.
However, if we assume affected individuals are candidates (or even clients) – which is the majority of the data that agencies store – it wouldn’t be much of an assumption to conclude that there will be an indirect cost on brand reputation.
If candidates are informed that their personal data was stolen, it may reduce the likelihood that they would want to be put forward by that agency in the future. That makes recruiters’ jobs harder, meaning they’ll have to work harder to find more candidates. It is possible recruiters themselves may even decide it would be easier for them if they moved to another agency, one which doesn’t have a dented reputation.
If clients also become aware of an event like this, they may also be less likely to give roles to an affected agency, especially when there are so many other willing agencies.
While the above is all speculation, in January 2023 – around six months after the initial event – The Agency announced a full rebrand, including a new trading name, new website and new overall appearance.
EXAMPLES OF REBRANDS
Facebook’s well-known rebrand to Meta was to re-focus the company’s strategy on a new market category (the metaverse).
The Lance Armstrong Foundation rebranded back in 2012 to Livestrong as a successful attempt to disassociate itself from the disgraced cyclist it found itself named after.
As you may well know, rebrands (including name changes) don’t happen often and are usually a strategy executed off the back of a particular catalyst – be it a new direction or, perhaps, to deflect a bad reputation. We don’t know for sure, but the timing seems to be all too convenient.
While the costs so far could amount to something significant; sadly, in this instance, they didn’t appear to stop at this point.
/ Brace yourself, this section isn’t an easy read.
We found multiple law firms that were not only aware of the specific breach but were actively promoting their services to affected individuals, aiming to pursue compensation claims with The Agency on behalf of any affected individuals.
While we weren’t able to find any information on how many claims have been processed and whether they were successful, we did find one law firm that claims to have been “contacted by concerned victims who may have been affected” by the event. Crucially, that firm was also promoting to pursue compensation claims on a ‘no win, no fee’ basis – meaning they must be confident in a potential claim.
On top of potential compensation claims, it is possible The Agency may also be investigated by the ICO – who they were legally obliged to report the breach to – for potential breaches of the UK General Data Protection Regulation (GDPR).
RECAP: THE GDPR IN THIS CONTEXT
As the GDPR is an EU directive, the Data Protection Act (2018) states that the UK will adopt the same regulations.
If the ICO deems inappropriate security was in place, they will investigate and look for evidence of reasonable steps taken internally to make appropriate security arrangements. If sufficient evidence is found, The Agency is liable for monetary penalties.
The ICO is able to fine up to £8.7 million or 2% of the turnover, whichever is highest.
Whilst we don’t have specific details of any security protocols The Agency had in place, we do know that they have maintained the Cyber Essentials Plus accreditation since long before the breach.
They could not have achieved this without demonstrating a good level of cyber diligence and protective factors.
EXPLAINED: CYBER ESSENTIALS PLUS
Cyber Essentials is an accreditation process that the UK Government encourages businesses and charities to undergo.
It is designed to ensure an organisation has a solid protective foundation against cyber criminals and any potential attacks. Cyber Essentials Plus is an enhanced certification that covers more areas.
So, thankfully, in this case, the best guess is that they were at least able to provide sufficient evidence to not warrant penalties from the ICO.
/ What can agency leaders do to avoid similar situations?
There is no doubt: the recruitment industry is under threat. Just as recruiters always try to up their game, so do cyber criminals.
When the costs can accumulate so significantly, directors must have a solution to manage their cyber risks and periodically act to de-risk, levelling the playing field once again.
Thankfully, there are easy steps that anyone can take. And they don’t have to be costly or time-consuming.
We will shortly publish a comprehensive guide that takes agency leaders through everything they need to know. So keep your eyes peeled.
SHORT ON TIME?
If you’re looking to de-risk your agency but don’t have time to take a hands-on approach, book a consultation with Atlas Cloud today.
We’ll conduct a complimentary mini-audit on your agency that tells us everything we need to know to come prepared for your consultation with detailed recommendations, allowing you to make simple – yet informed – choices from the start.