Business insurance and employment status specialist Qdos has confirmed that an intruder has stolen some customers personal data, according to a communication to tech contractors that was seen by The Register.
Qdos yesterday emailed clients on its database to confirm a “recent data security incident affecting one of our web applications: mygoqdos.com, that may have involved data relating to you and your business.”
It says it was alerted to the issue on June 19 and launched a probe with the help of third party cyber security expert.
“Whilst we can confirm that this was not a ransomware attack, our investigation determined an unauthorized third party was able to access and download certain data from the web application, including some personal customer information and documents relating to customer insurance policies and IR35 services,” the email says.
The Information Commissioner’s Office, the Financial Conduct Authority, Action Fraud and the National Cyber Security Centre were notified as part of Qdos’s security management efforts.
The email to customers said that credit card information and other identification documents including customers’ passports or drivers licenses are not collected or stored, and “information provided with respect to claims against insurance policies has also not been impacted.”
“We can’t confirm exactly what data or documents were accessed or downloaded for customers individually,” it said, “but it is possible that documents related to insurance policies, IR35 services (contracts, contract reviews or IR35 calculations; and documents pertaining to purchases such as invoices and credit notes were accessed.”
Personal data from customers’ account[s] including name, correspondence address (or registered business address) email address and contact may also be affected, the communication states.
Contractors were assured policies “remain in full effect and have not been impacted in any way” and claims and use of online accounts to manage policies, renewal and new applications are not impacted.
In a statement to The Register, Qdos CEO Seb Maley said:
“The security of your data is important to us, and we are offering you 12 months of free identity monitoring services, provided by Experian, one of the UK’s leading Credit Reference agencies. Experian’s IdentityWorksSM service monitors the web, social networks and public databases on your behalf 24/7, looking for your details to immediately detect theft, loss or disclosure of your vital personal and financial information,” Qdos says in the email.
It advises: “Be especially vigilant against suspicious activity, including suspicious emails, phone calls or text messages.”
We have asked the ICO, Action Fraud, the FCA and NCSC to comment. ®