Cyber Incident Victim: Eurocell plc
Date:
Sep 2022
Location:
United Kingdom
Summary
A major cyber attack compromised Eurocell plc's systems, exposing sensitive employee data including personal information, bank account and national insurance numbers, employment terms, right to work documentation, health records, and disciplinary files. The breach potentially affects current and former staff across its UK operations, with concerns that stolen data could appear on the dark web, heightening risks of identity theft and fraud. While the company stated no evidence of misuse yet, legal representatives emphasized uncertainties about future impacts and called for further investigation into the incident's scope and security failures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around September 1, 2022, Eurocell plc, a UK-based manufacturer and distributor of PVC-U roofing products with over 2,000 employees and 210 branches nationwide, suffered a cyber attack resulting in unauthorized third-party access to its IT systems. The breach led to the copying of extensive employee data from company servers. Eurocell notified current and former employees, including those in West Midlands locations such as Brierley Hill, Cannock, Kidderminster, Shrewsbury, Stafford, Walsall, and Wolverhampton, via formal letters disclosing the compromise. The stolen data encompassed employment terms and conditions, personal identifiers (dates of birth, next of kin details), financial information (bank account numbers, national insurance numbers, tax references), right-to-work documentation, health and wellbeing records, learning and development histories, and disciplinary or grievance files. The company acknowledged the breach but did not specify the exact number of affected individuals or confirm whether all data categories were exfiltrated for every employee. Eurocell stated there was no evidence of data misuse at the time of notification, though the full scope of the incident remained under investigation.
The data breach exposed employees to significant risks of identity theft and financial fraud, with concerns that the stolen information could appear on dark web markets—a common outcome of similar cyber attacks. Specialist law firm Hayes Connor initiated legal support for impacted individuals and publicly demanded Eurocell provide clearer details about the attack methodology and security failures. Legal representative Christine Sabino emphasized the severity of the incident, noting the inclusion of highly sensitive personal and occupational records heightened risks for both current and former staff, potentially affecting a larger population than the active workforce of 2,000. Sabino questioned Eurocell’s assertion regarding the absence of data misuse, highlighting the impossibility of verifying this claim or guaranteeing future security against exploitation. The firm launched independent inquiries to determine liability, stressing that employers bear statutory obligations to safeguard employee data and that the breach warranted rigorous investigation to establish accountability. Eurocell’s operational response beyond employee notifications was not detailed in available disclosures.