Cyber Incident Victim: Symatrix
Date:
Jan 2021
Location:
United Kingdom
Summary
A ransomware attack targeted Symatrix, a payroll provider, compromising sensitive employee data from its client Arup, an engineering and architecture firm. The breach exposed personal information including names, addresses, and bank details of staff members. Arup formally notified affected individuals about the incident, attributing the data exposure to the cybersecurity event at Symatrix. Following the breach, impacted employees sought legal advice regarding the incident, with a data breach specialist firm confirming multiple inquiries related to the compromised information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cybersecurity incident involving payroll provider Symatrix occurred on January 12, 2021, impacting employees of engineering and architecture firm Arup. Symatrix suffered a ransomware attack that compromised sensitive personal data belonging to Arup staff members. The compromised information included employees' names, residential addresses, and bank account details. Arup formally notified affected personnel through written correspondence, attributing the breach to the cybersecurity incident at their third-party payroll processor. This notification confirmed the unauthorized access to payroll systems containing employee records.
Data breach specialists at CEL Solicitors reported receiving multiple inquiries from concerned Arup employees following the breach disclosure. The compromised banking information created immediate risks of financial fraud for affected individuals. No operational disruptions to Arup's internal engineering systems were reported, as the attack specifically targeted Symatrix's payroll infrastructure. The incident gained public attention when initially reported by journalist Richard Waite on April 7, 2021, nearly three months after the attack occurred. Legal professionals began assessing potential claims related to the exposure of sensitive financial data. Arup's notification letter served as the primary confirmation of Symatrix's involvement in the security failure that enabled the data compromise.