Leeds-headquartered agency IMA has been hit by a worldwide data breach involving the unauthorised access of staff payroll data, prompting concerns over a “worrying pattern of behaviour” in how financial information is handled.
In an internal email seen by Prolific North, the agency informed staff it had suffered a “data security incident” affecting certain internal systems. The breach involved an unauthorised party gaining access to personal data of former employees, including payroll information.
IMA said the incident was investigated in collaboration with cybersecurity experts, data privacy professionals, and law enforcement. The agency claims the breach did not specifically target IMA and that the data was accessed by a bot, with “no trace of human interaction.”
In a statement to Prolific North, IMA said it had moved ‘rapidly’ to contain the breach but some former staff have expressed concern about the handling of personal data at the firm.
It’s unclear how many ex employees based in the North were affected, but two former staff confidentially shared their concerns with Prolific North alleging that IMA has offered no solution other than advising them to keep an eye on their bank accounts.
A former IMA employee, who wishes to remain anonymous, said: “I’m really concerned at IMA’s lack of advice and following the data breach. The only advice was to keep an eye on our bank accounts. The lack of accountability is worrying and demonstrates a pattern of behaviour previously seen at this agency towards due care for its staff. I’m now left wondering who has my financial information and what the impact of this could be.”
Another ex staffer, who also wishes to remain anonymous, added that the “data breach has been handled really poorly” and were concerned following a separate breach on their bank account years ago, where their card was used fraudulently, but this was not linked to IMA.
“After getting that email it’s just brought that worry back again,” the former staff member said. “And the agency doesn’t seem to be able to reassure me that my information is secured now.”
IMA stressed that they conducted a full investigation and contained the impact as soon as possible, and also have a data security team ready to respond to anyone who has questions about the breach.
Alex Uprichard, managing director at IMA, said: “Despite our proactive security measures, IMA was affected by a data breach last week due to a third-party software issue which impacted multiple companies worldwide,” she said. “We immediately undertook a thorough investigation, collaborating with an array of regulatory bodies, and we are pleased to say this was rapidly contained.
“All relevant parties were notified and whilst we cannot comment on individuals specifically, our data protection team are handling any questions. We will continue to monitor the situation with business operations continuing as normal.”
The firm’s response echoes the email sent to staff. It read: “We have taken swift action to contain the breach and secure our systems. We continue to monitor the situation with business operations continuing as normal.”
IMA informed ex employees in the lengthy email that it had notified the Information Commissioner’s Office (ICO) and reiterated that it recognises the “seriousness of this matter” and that its teams are enhancing security measures to prevent any recurrence.
