8 actions for contractors to take following a data breach

Earlier this year a number of umbrella companies and large contractor accountancy firms were at the receiving end of a malicious cyber attack. At best, their clients have had trouble accessing services, and at worst sensitive personal data has been dumped and is freely available on the darkweb as part of a cache of 400,000 unencrypted personal documents.

I’m absolutely taken aback by the lack of support their clients have received. Every day via offpayroll.org.uk, we’re getting asked questions about what contractors should do next. Reading TrustPilot reviews is like watching a car crash over, and over, and over again. You would hope that the impacted companies are on the case, but sadly not. In this article I'll try and help instead.

Getting hacked is truly terrible. It’s a nightmare scenario for any business. They have my deepest sympathy. But, I’m afraid to say their lack of communication, reassurance and action is simply indefensible, and my sympathy, like their clients who are leaving, has run out.

Sorry, rant over. Let’s talk about what you can do about it.

What I’m going to cover here

I know it’s a really worrying time for contractors. In this article, I’ll share a list of actions you can take to mitigate the damage, protect your personal and business data from fraudsters and avoid late filing penalties. I’ll also give advice on how to untangle yourself from a poor accountant, and share the regulatory bodies you can complain to. 

1. Secure your income and finances, switch bank

First and foremost, move to protect your income and your finances. If you’re using an impacted umbrella company and things aren’t back to normal, then move. You must put your own financial needs and security ahead of everyone else in the supply chain - your umbrella, your agent, etc. You’ll need to resign from the umbrella, and start with a new one. Don’t take no for an answer - don’t let your agent get in the way, don’t let the umbrella company stop you. If they don’t let you move, remind them there’s a group action law case that you’re considering joining. If they’re not playing ball, talk to the compliance officer at your end client and let them know what’s happening in their supply chain and the CSR risk this poses. It’s not OK to be held to ransom by an umbrella or an agent.

If you’re using a limited company, the situation is different. You’re still in control of your bank account. We’re aware that there are problems with accountancy portals, which are preventing invoicing and drawing earnings. Invoicing is straightforward - you can knock up an Excel invoice template and use that (Google will tell you what you need to know). If payroll is knocked out, and you can’t draw a divi just go ahead and make a withdrawal from your company’s bank account. This will get chalked up as a directors’ loan, and it’s a quick thing for your accountant to resolve once they’re back online.

The risk when it comes to limited company bank accounts is the spilling of bank details onto the darkweb. The cache of documents includes thousands of limited company bank statements, along with sort codes, account numbers, etc. This is a vector for fraud. 

If you’ve ever thought about switching banks, then this is a good reason to do it. Here’s what you might not know: The Current Account Switch Service applies to small business accounts, too. It’s easy to switch, and any payments made to your old account will be deposited in your new account. Anecdotal, the most popular migration route we’ve seen is people leaving Metro and moving to Starling Bank - both offer the switch service.

You might also want to consider informing your creditors of the data breach. This includes your business bank and personal banks, plus credit cards, mortgage and other loan providers. List all the forms of finance you have, such as a car on finance, and let them know what’s happening. If your finances have been impacted directly, or you’re having trouble accessing your accounts, you may be able to request a payment holiday to give you some breathing space. 

2. Tighten security

It’s back to basics, here. Sensitive information spilled onto the darkweb combined with social media or email account access can be a potent catalyst for sophisticated fraud. Get ahead, and secure your social media and email accounts.

It’s a good idea to regularly change your passwords but this is particularly important following a data breach. Passwords should be unique, strong and secure with a mix of letters, characters and numbers. A password manager can help you to generate and keep track of passwords. 

Most social media sites and email providers now support two-factor authentication (2FA, MFA). Enable this right now. This is where thieves are likely to target first. Gmail, Facebook and LinkedIn all support this. Two-factor authentication adds another layer of protection to your account and will require you to enter additional information, usually a code sent by text to your phone to verify your identity.  

3. Monitor your personal data

Following a breach of your personal data, you could be at increased risk of identity theft. Take these actions to help protect yourself against fraudsters. 

Experian and Clear Score both offer subscription services to monitor your personal data, for around £5/m. They have teams who trawl the darkweb, hoovering up stolen personal data. If they find your data in the wild, they will alert you. They’ll also let you know if anything suspicious happens on your credit record.

On that note, you can also register for identity protection. Cifas is the UK’s leading fraud prevention service which operates the largest cross-sector fraud database in the country. Its Protective Registration service costs £25 for 2 years cover and places a warning flag against your name and other personal details in the Cifas National Fraud Database. This tells any organisation that uses Cifas data to pay special attention when your details are used to apply for their products or services. Knowing you're at risk, they'll carry out extra checks to make sure it's really you applying, and not a fraudster using your details. To find out more, visit cifas.org.uk/ 

What if you think you’re a victim of fraud? Then report it. If you spot something unusual and think you may have been a victim of fraud contact Action Fraud, the UK's national fraud reporting centre. They have a great advice section and support for fraud victims on their website. To find out more, go to actionfraud.police.uk 

4. Monitor your company data

This applies to limited company contractors whose accountants have been hacked. There is a risk that fraudsters take control of your limited company by updating statutory records at Companies House. This is a particular risk if your Companies House authentication codes have been leaked.

There is free preventative action every limited company owner should do now. That’s to register with Companies House’s PROOF scheme to prevent unauthorised changes being made to your limited company. 

PROOF is a free service that lets you protect your company from unauthorised changes to your records. It prevents the filing of certain paper forms, including:

• changes to your registered office address
• changes to your officers (appointments, resignations or personal details)
• changes to your company name by special resolution

If you do suspect fraudulent activity against your company you should report this to Companies House.

5. Watch out for very targeted and clever spear phishing

The most viable and effective fraud we’re likely to see is spear phishing. This is a frighteningly sophisticated form of phishing, and it’s very active at the moment.

The fraudsters send exceptionally authentic looking letters, pertaining to be from HMRC. They even come in brown windowed envelopes. The letters claim you have an outstanding tax payment (most often VAT), points you to HMRC pages if you can’t pay, but also includes the bank account and sort code for the payment. Clearly, this account is the fraudster’s. These letters are so authentic, even accountants have been caught out.

If your company data is in the wild, the fraudsters can take the letter to the next level - including your VAT period end, your VAT number, etc. 

You must stay alert. We understand that two of the hacked accountants are behind on their clients’ VAT returns. This may give fraudsters cover as a seed of doubt is already present in the mind of the contractor about their VAT payments. The accountants are still offline, so it’s difficult to verify. This is a ticking fraud timebomb.

What can you do to protect yourself? The easiest thing to do is contact HMRC directly if you receive a letter demanding payment to verify it. Do not call the number on the letter (it could be fake). Instead, visit HMRC’s website and find the number for yourself. 

If you switch to a new accountant, defer everything to them. Don’t pay a tax bill or respond to a payment letter until your accountant has verified it.

6. Have a plan for upcoming statutory deadlines

One of the biggest worries we’ve heard from contractors whose accountant is being unresponsive is ‘are they actually going to do what I pay them to do?’ If they are having issues delivering services, and it’s looking like your accounts or returns will be submitted late, then there are proactive steps you can take to mitigate late filing and payment penalties with HMRC and Companies House. 

How much could I get fined?

• RTI payroll (monthly) - £100 penalty for each missed monthly submission, penalties sent quarterly
• VAT (quarterly) - you could face a surcharge for missed VAT payments, but most small companies are unlikely to
• Corporation tax (annually) - £100 penalty for being a day late, increases after 3, 6 and 12 months
• Companies House accounts (annually) - £150 penalty, increases after 1, 3 and 6 months
• Self Assessment (annually) - £100 penalty, increases after 3 months

If you’re late with payments, you’re also likely to be charged interest, too.

How to prevent and appeal late filing penalties with HMRC

• First of all, register for a business tax account with HMRC. 
• Secondly, get in contact with HMRC to let them know you’re having problems with your accountant. 
• If your accountant is late submitting your company tax return or VAT return and you’ve been issued a penalty, you can appeal to HMRC if you have a ‘reasonable excuse’.  
• If you’ve provided everything to your accountant, but their system issue has stopped them from filing your return on time, this would count as a reasonable excuse. 
• If you’re issued a penalty for a late return, you’ll need to appeal within 30 days. 

For year end accounts, there may be an opportunity to extend your financial year to avoid a penalty. Talk to your accountant.

7. Prepare to move accountant

If you’ve reached the end of your tether and want to move, here’s what to do.

• Give your current accountant an opportunity to respond to you but set clear deadlines. 
• In the meantime, start looking around for a new accountant. (I’m biased, but inniAccounts is a great place to start!) 
• Once the deadline you have set has passed, if you’re still unhappy, send a recorded letter advising you are terminating your contract with them.
• Your new accountant will then start the “professional clearance” process, and they will contact your old accountant for your records to be transferred

There’s no need to wait until the end of the year, or for your accountant to complete work they owe you. If you’ve been paying them a monthly fee for your accountancy service, then they are normally obliged to file your previous accounts. This means you can switch accountants at any time, and your old accountant should complete any work you’ve paid for.   

If your old accountant won’t, or can’t, file your outstanding accounts – including overdue accounts – don’t panic! Your new accountant should be able to do this for you, but it’s likely you’ll need to pay. You could make a court claim (used to be called the small claims court) to get your outgoing accountant to foot the bill.

Another small plug for inniAccounts, if I may. Our team of software engineers and accountants have collaborated to make switching easy. We can extract data from your old accountants portal, and import your bank records to make the switch over effortless. Even if they don’t respond to our professional clearance letters, it’s not a problem. A recent contractor who switched to inniAccounts said this:

“Having been invited to preview inniAccounts forensic reconstruction of this year's accounts into their software, it is difficult to tell that I haven’t been with them for years.  Everything I need to carry on is there. I can’t wait to get started!”

8. Complain

If you’ve had an awful experience, it’s worth making a complaint to the organisation to ask for compensation. Contact them in writing with your complaint and ask for a reply within 28 days. 

You may also want to complain to regulatory and professional bodies. Here’s a starter for six:

• ICO - Information Commissioner’s Office  - If you have a concern about the way an organisation is handling your personal information or they are not keeping it secure, you can submit a complaint to the ICO.  
• FCSA - Freelancer & Contractor Services Association - If you have a concern about your umbrella company or accountant and the organisation is an FCSA member, you can complain to them about breaches to the FCSA compliance codes. 
• FCA - Financial Conduct Authority - If your accountant has been hacked and your bank account connected to your accountant’s portal (which is a regulated activity), you can complain to the FCA, the regulator for financial services firms. 
• Accountancy professional bodies (AAT, ACCA, ICAEW) - if your accountant is registered with a professional body you may wish to complain if their work falls short, or they’re failing to provide you with your records
• ACAS - if you’re an umbrella employee and you’re having problems getting paid, talk to ACAS. They can mediate, and advise on employment tribunals
• Employment Agency Standards Inspectorate - the government department responsible for enforcing agency worker rights.

I hope this was useful and has given you some positive actions to take during this challenging time. Please do add a comment below if you have any questions, need anything clarifying, or have any other tips for impacted contractors.