Last year’s IT data breach at Simplify, which forced it to temporarily take down its systems, may have exposed the personal information of former and existing employees working at the conveyancing group, it has been revealed.

Simplify was the victim of a cyber-attack in November 2021, which created mayhem in property chains across the UK. The incident affected Premier Property Lawyers, JS Law, DC Law and Advantage Property Lawyers, with many property deals stalled.

The conveyancing group’s internal investigation has found that some exposed files contained information relating to employees – past and present – including bank account information, contact details, date of birth, health and medical information, as well as tax and national insurance number.

Simplify Group, which delivers conveyancing services for a number of estate agents, shared details of the incident in a letter from Simplify’s chief executive, David Grossman, to former and current employees whose files containing personal information may have been accessed.

The letter, shared with the Law Society Gazette, states: “On 7 November 2021, we began to experience some IT disruption to part of our network, Our IT team soon established that this was the result of a security incident during which an unauthorised third party gained access to parts of our system for a limited period of time.

“We immediately disconnected all systems to contain the incident (which was something we had plans in place for). With the help of professional security experts, we contained the incident and worked tirelessly to restore our systems in a safe and robust manner as quickly as possible.”

Simplify undertook a “detailed forensic analysis” to find out what files may have been accessed by the unauthorised third party and reviewed those files for personal information.

“Investigations like this are complex and take a significant amount of time to complete, which is why we were unable to contact you until now,” the letter added.

The letter says that “the vast majority of these files” did not contain any personal information. However, “some files held information about our colleagues and former colleagues”.

As well as standard employment information, Simplify’s investigation found that some files contained information including bank account information, contact details, date of birth, health and medical information, as well as tax and national insurance number.

The letter added: “Whilst it is possible that this information could be used for identity theft or fraud, the comprehensive steps Simplify took in response to the incident and the fact that the information was unstructured in nature (i.e. not held in a format that is easy to access or read) significantly reduces any such risk.

“Furthermore, following close monitoring, we are confident that none of your information has been shared online or otherwise misused following the incident. We also believe that the risks of this happening at any time are minimal. We have a security expert monitoring the internet and there is no evidence that anyone is in possession of your data.”

A spokesperson for Simplify said: “In late 2021 Simplify experienced IT disruption that was found to be due to an unauthorised third party temporarily gaining access to a part of the IT systems, relating to certain internal Simplify files. By early 2022, our services had returned to normal for clients both existing and new, with our conveyancing colleagues back up and running on core systems and actively working on cases.

“Since then, and supported by a third-party team of specialists, Simplify has undertaken a detailed investigation and analysis of the incident and the files. The vast majority of these files did not contain any personal information. However, some files held information about our colleagues and former colleagues, and we have now identified that some of their personal data was involved. In line with our legal and regulatory obligations, we have taken steps to notify those people whose personal data was involved in this incident and provided appropriate guidance and support.

“We take data security extremely seriously and have been working with experienced IT forensic partners to further strengthen our systems and help prevent future issues.”

Simplify customers ‘still waiting for answers a month after cyber-attack’