Simplify data breach exposed employees

Investigation reveals Simplify data breach exposed employees personal information

Information that “could be used for identity theft or fraud” taken from firm’s database

An investigation into an IT data breach at Simplify in November last year has revealed that personal information of its employees may have been exposed.

The group was subjected to a cyber attack which temporarily forced the conveyancing firm to take down its site, whilst also affecting numerous other conveyancing firms.

The data breach affected thousands of property transactions and left home movers stranded.

An internal investigation at Simplify Grpoup has revealed files containing personal information relating to its employees, such as bank account information, health and medical information, tax and national insurance details, amongst other crucial information was exposed during the attack.

A letter from David Grossman, Simplify’s chief executive, was sent out to all employees, past and present affected, which was also shared with the Law Society Gazette, which read:

“On 7th November, 2021, we began to experience some IT disruption to part of our network, Our IT team soon established that this was the result of a security incident during which an unauthorised third party gained access to parts of our system for a limited period of time.

We immediately disconnected all systems to contain the incident (which was something we had plans in place for). With the help of professional security experts, we contained the incident and worked tirelessly to restore our systems in a safe and robust manner as quickly as possible.”

He went on to claim Simplify carried out a “detailed forensic analysis” to find out what information was stolen. He explained why this had taken till now as he added:

“Investigations like this are complex and take a significant amount of time to complete, which is why we were unable to contact you until now.”

He did reveal that the majority of the files did not contain key personal information, but some files which were exposed contained information relating to employees. He continued:

“Whilst it is possible that this information could be used for identity theft or fraud, the comprehensive steps Simplify took in response to the incident and the fact that the information was unstructured in nature (i.e. not held in a format that is easy to access or read) significantly reduces any such risk.

Furthermore, following close monitoring, we are confident that none of your information has been shared online or otherwise misused following the incident. We also believe that the risks of this happening at any time are minimal. We have a security expert monitoring the internet and there is no evidence that anyone is in possession of your data.”

A spokesperson for Simplify said:

“Simplify has undertaken a detailed investigation and analysis of the incident and the files. The vast majority of these files did not contain any personal information. However, some files held information about our colleagues and former colleagues, and we have now identified that some of their personal data was involved.

In line with our legal and regulatory obligations, we have taken steps to notify those people whose personal data was involved in this incident and provided appropriate guidance and support.

We take data security extremely seriously and have been working with experienced IT forensic partners to further strengthen our systems and help prevent future issues.”

However, it was revealed by Today’s Conveyancer in December last year that a number of Simplify staff were taking up legal action against Simplify for the data breach.

Keller Lenkner confirmed a number of people have employed them to act as litigants against Simplify for the data breach as they claim Simplify “faces a potential GDPR litigation nightmare”. A spokesperson for the firm stated:

“In our experience, data security incidents of this scale usually uncover a catalogue of security errors within a company … and, if Simplify failed to adequately protect its data/systems from criminals, it must be held legally responsible.”

Join nearly 5,000 other conveyancers – sign up to our newsletter

Want to have your say? Leave a comment

Your email address will not be published. Required fields are marked *

Read more stories

Join over 7,000 conveyancing professionals – Check back daily for all the latest news, views, insights and best practice and sign up to our e-newsletter to receive our daily and weekly round ups

You’ll receive the latest updates, analysis, and best practice straight to your inbox.