Empowering the Freelance Economy

“SJD had copies of my passport, my bank transfers, and other hugely sensitive information.”

Dustin Gorski, one of the thousands of freelancers whose data was hacked in the Optionis ransomware attacks.
1 2,056

Dustin Gorski, 35, a freelance software engineer living in London, trading as Dusted Codes reveals what it was like to be affected by the Optionis ransomware attack and what he’s done to rectify his situation.

Gorski, is a freelance software engineer originally from Vienna, now living in London. Up until the January ransomware attack on payment services group Optionis, Gorski was a client of Optionis- owned SJD, an accountancy firm. Trading as Dusted Codes, Gorski had been a client of SJD since 2018, using the company to prepare his end-of-year accounts and VAT statements. He has switched accountants and taken vital steps since he first suspected a ransomware attack.

Here’s how things unfolded.

Gorski – who has wide experience in cyber security – was first contacted by SJD by email on January 14. The message said the company was “experiencing significant issues relating to its systems” – without going into detail – and assured clients they could still contact their accountant.

“There was no mention of a cyber security incident at all making customers aware that their data might have been compromised,” said Gorski. 

“I was hugely frustrated because very quickly customers like myself learned from Twitter and other online forums that the entire group which oversees SJD, Nixon Williams and other accountancy firms has been hit by a ransomware attack,” he said.

The freelancer had not received any communication from SJD for weeks that his data was compromised and in the hands of criminals.

The attack is believed to be the work of the ransomware gang Vice Society, according to sources. 

“If I didn’t know how a ransomware attack works I’d be left with the impression that my data was not at risk whatsoever based on SJD’s lack of communication,” he said.

Why SJD was keeping quiet

Optionis alone claims to have 28,000 clients and booked revenues of £435 million for 2020. Analysis of documents reveal the use of “PASSWORD” and “Password123” on accounts from across the Optionis Group. Affected freelancers argue that such poor handling of their personal information is verging on negligence.

Gorski explains: “A ransomware attack is the worst when it comes to customer data. In a ransomware attack, the attacker doesn’t want to hide the attack, because the whole point is to take an entire business down by encrypting their data and making it inaccessible until they get paid.

“From what I can tell the attackers who hacked SJD and the other accountancy firms have already released parts of the stolen customer data to the dark web. This was confirmed on multiple online forums and it doesn’t take much effort to find it.

“Until today I have not been informed by SJD that any of my data was stolen and when I tried to ask them about the incident I was assured that my personal data was not affected by the incident, which is hard to believe at this point.”

SJD had copies of my passport, they had copies of all my bank transfers, my clients and other hugely sensitive information. The biggest risk that this exposes me to is simply impersonation.

It would be child’s play for a fraudster to use all this data and essentially contact my banks and pretend to be me and send them copies of my passport and knowledge of recent transactions and other sensitive data that presumably only I could know in order to get access to my accounts.

How do you get your accounts in order after a hack?

Gorski was fortunate that he had been planning a trip and so had got his accounts in order before the ransomware attack was announced. But he said – in addition to the stress and worry – the attack has placed a “huge operational burden” on him.

“I will have to slowly go through all of my most important online assets and ensure that I have recycled enough data points that a fraudster cannot impersonate me successfully with the data obtained from SJD,” he said.

This means changing many accounts to a new email address, making sure that my domains, my cloud hosting provider and other important pieces share as little information with the stolen data as possible.

“The problem is that customers can never be sure if they will not fall victim to an attack long after this incident. Fraudsters could sit on the data for a few years before they get to hit someone and then it will be hard to know if it was linked to the SJD incident or something else. These people are not stupid and the biggest losers here are really all of SJD’s customers, including myself.”

Gorski said that sophisticated attacks like this happen all the time where attackers can easily use that data to launch an attack from multiple angles:

  • First they could take down my email account, then use that email account to take down the next online account.
  • With each step, they would become increasingly less distinguishable from myself and could therefore easily make a financial institution believe that they are me.
  • Or they could take a shortcut and take over some important assets of me like domains, web hosting platforms, social media accounts and then hold me to ransom.

“It is very scary and the more this whole SJD incident is kept quiet in the media the easier it is for fraudsters to make use of the stolen data because most people have no idea the extent of what can happen now.”

How are accountants reacting to the Optionis cyber attack?

“Our team has worked in the accountancy sector for more than 20 years and we can safely say this is the largest ransomware attacks we’ve ever seen in our sector,” said  Daniel Fallows, Director at accountancy film Gorilla.

“This ransomware attack is a major concern for freelancers, SMEs and the accounting sector as a whole. Our sympathies lie with the firms targeted in these attacks and the thousands of SMEs, freelancers and contractors affected by this issue.” 

Fallows said that all firms working in financial services are a target for cybercrime given the sensitive financial information they have access to.

“This is why we invest heavily in our IT systems and cyber security,” he said.

Fallows said that the firm had been contacted by hundreds of affected contractors and SMEs who were concerned about being able to submit their HMRC self-assessment in time for the extended February deadline. 

“We would advise any contractors or businesses affected by this issue to contact a qualified accountant as soon as possible so that there is enough time for them to submit a self-assessment return before the end of February,” said Fallows.

  • Thousands of contractors, freelancers and SMEs have potentially had their data exposed online, after accountancy firms including the Optionis Group and Brookson One fell victim to a ransomware attack. 
  • Many freelancers have reported that the incident has left them not receiving their pay on time or being paid less than they were expecting. 
  • The attack is also believed to have left thousands of people unable to complete their VAT returns and self-assessment tax returns for the 2020/21 financial year, which were due to be filed on January 31st with hundreds of people leaving complaints on Trust Pilot. 
  • The Optionis Group includes brands such as Parasol Group, ClearSky, SJD Accounting, and Nixon Williams. 
  • Optionis alone claims to have 28,000 clients and booked revenues of £435 million for 2020
  • Analysis of the documents reveal the use of “PASSWORD” and “Password123” on accounts from across the Optionis Group
  • Parasol’s systems were suspended after malicious activity was identified on the network, with a forensic investigation ongoing, according to Parasol’s CEO. 
  • Cyber investigators have since found almost 6,000 pages of information, supposedly coming from Optionis company Parasol, on the dark web. 
  • It has been suggested that these files, posted online as downloadable links, contain the management accounts of customer’s companies, timesheets, and letters to and from HMRC discussing the tax status of customers. 
  • The attack is believed to be the work of the ransomware gang Vice Society. 
  • With systems down, contractors have been faced with a prolonged network outage with the company unable to access contractor time sheets and other resources to calculate how much contractors should be paid. 
  • Many contractors have taken to social media and TrustPilot to share how they have been left out of pocket, with some unable to access P45s and other necessary documentation.
  • An ICO spokesperson said: “Optionis has made us aware of an incident and we are making enquiries”.
1 Comment
  1. Urmil Patel says

    Thank you for the article, I have been a long standing customer of SJD and echo these comments, no mention of a cyber-attack by SJD to me. I had to ask them if they were breached which they confirmed.

    It has been many months and their employees keep leaving, I have had three different accountants in six months. I requested my company to be closed down in February, to date little or no update on progress.

    I would steer clear as I guess they are trying to play catch-up and not informing customers the real store behind the scenes.

Leave A Reply

Your email address will not be published.