The professional services firm, which provides engineering, architecture, design, planning and project management services for the built environment, alerted employees to the incident in a letter, stating that its third party payroll provider had suffered a “cyber security incident” on 12 January.
Arup was told of the breach on 11 March and created a specialist team to investigate the extent of the attack before telling its staff.
Among the data compromised are first name, surname, bank account number, bank sort code, national insurance number, date of birth, gender and address.
Staff were told how the payroll provider was the victim of a ransomware attack, meaning files were copied and encrypted, before being held to ransom in order to access the data.
The incident, which has been reported to the Information Commissioners Office (ICO), has seen national law firm CEL Solicitors already receiving enquiries from some staff members.
One Arup employee to be affected by the attack, who wishes to remain anonymous, said: “It’s incredibly worrying to know that such personal information as my bank details and address have been accessed by these cyber criminals, especially in the current climate when there is enough going on to be worried about.
“Arup is a global company and the fact that they have simply told us what we need to do, without taking any real steps to make sure we’re protected, is very disappointing.
“We won’t know if or when we could feel the effects of the hack, so it’s extremely distressing to have a feeling of such uncertainty or vulnerability.”
Mark Montaldo, director at CEL Solicitors – which specialises in data breach – said: “As cyber criminals become more sophisticated in how they access data, they are able to delve deeper into sensitive information, hacking into bank account details, national insurance numbers and addresses.
“This example of Arup’s also demonstrates how they are willing to impact a global company via a third party which, in this case, is the payroll provider. From recent cases, we can also quite clearly see how the perpetrators do not discriminate against industry, with no sector being 100% safe from such fraudulent activity, so it’s essential that firms – of all sizes – take action to make sure their data protection processes are watertight.”
Now, staff at Arup have been instructed to contact their banks and check there has been no unexpected activity.
They have also been offered free access to an identity protection service.
Mark added: “It is vital that, if you are employed by Arup, or have been at some point since November 2018, you contact your bank and tell them about the incident.
“Be on your guard for any unexpected activity and check your bank balance and transactions regularly. The repercussions of a hack like this may not always happen straightaway, so it is extremely important to maintain a high level vigilance.”