Leaked One Call staff messages confirm 'cyber security' incident as major crime unit called in

A major regional crime unit has been called in to Doncaster’s One Call Insurance after it was reportedly targeted by Eastern European hackers demanding a £15 million ransom after seizing customer details.

Thursday, 20th May 2021, 10:29 am
One Call is said to have been hit by Russian hackers - and a major crime unit is now investigating.

The Yorkshire and the Humber Regional Organised Crime Unit have been called in to the Black Bank based firm after its computer systems were hacked last week, reportedly by Eastern European cyber crime network DarkSide.

One Call has still not confirmed details of the attack or issued a statement, telling customers that it was experiencing ‘IT issues’ – despite coming under attack more than a week ago.

But the Free Press has been leaked messages, reputedly sent to staff, confirming a ‘cyber security incident’ and telling employees not to speculate ‘because of an ongoing police investigation.’

Sign up to our daily newsletter

The i newsletter cut through the noise

And screenshots of a list of names and email addresses, reputed to by those of One Call customers, have also been uploaded to the dark web.

Dozens of angry staff members as well as customers have come forward to blast the firm, accusing it of ‘covering up’ the cyber attack which has impacted on the firm's emails, website and phone lines and left customers unable to access their policy documents.

It is feared bank details, passwords and other personal details have been seized by DarkSide who are understood to have sent a message to staff computers announcing: “Welcome to the DarkSide” and demanding cash in return for the restoration of the firm’s database.

A message reportedly sent to staff by One Call managers, said: “The IT team has been working hard to restore our priority systems but we’ve also been working with an external IT forensics team to understand what happened.

"They have confirmed that unfortunately this is a cyber security incident.

"They are investigating this matter, but the investigation is still at an early stage, so there are still a lot of unknowns.

“We know we we will get questions on this from customers, partners and maybe the press so we’ll be giving you everything you need to respond to customers accurately.

"It’s really important that we don’t speculate as this is also an ongoing police investigation.”

The hacking is understood to have taken place late last Wednesday night or in the early hours of last Thursday morning, with employees finding their PCs had been infected when they logged on to start work.

The attack is said to be the work of DarkSide, an Eastern Europe-based cybercriminal hacking group that targets victims using ransomware and extortion.

DarkSide is believed to be based in Eastern Europe, likely Russia, but unlike other hacking groups responsible for high-profile cyberattacks it is not believed to be directly state-sponsored and avoids targets in certain geographic locations by checking their system language settings.

Experts state that the group is "one of the many for-profit ransomware groups that have proliferated and thrived in Russia" with at least the implicit sanction of the Russian authorities, who allow the activity to occur so long as it attacks foreign targets.

The group has sought to foster a "Robin Hood" image, claiming that they donated some of their ransom proceeds to charity.

Previous attacks have included targeting the United States’ oil and gas infrastructure on four occasions.

In May, the FBI identified DarkSide as the perpetrator of the Colonial Pipeline ransomware attack, a cyberattack that led to a shutdown of the main pipeline supplying 45% of fuel to the East Coast of the United States.

One staff member, who declined to be named said: “All systems and customer data have been stolen by hackers and they don’t have access to it.

"They found this out when they logged on to their systems.

"A message appeared on the screen from the hackers stating if they do not receive £15 million, the data they have will be made public.

"That’s including all customer data such as passwords and bank details.”

Commenting on the story, BBC cyber crime reporter Joe Tidy, an expert on hacking and ransomware said: “Looks like DarkSide hackers are still very much an active crew.”

Meanwhile the firm has also been accused of removing comments from its Facebook page from concerned customers asking if the company’s database has been hacked.

Threads on the page have been locked with customers unable to comment.

A spokesman for the Yorkshire and the Humber Regional Organised Crime Unit, made up of officers from a number of police forces, confirmed it is investigating.

A brief statement said: “We have been made aware of a cyber incident affecting Doncaster-based firm One Call Insurance and are working with the firm to investigate it.

“Our enquiries remain ongoing.”

The Regional Cyber Crime Unit works with the National Crime Agency in the UK and abroad, to investigate and prevent the most serious cybercrime offences.

Meanwhile, the Information Commissioner's Office, the UK’s indepedent body which upholds data protection is also investigating One Call.

An ICO spokesman said:”One Call Insurance have reported an incident to us and we will be making enquiries. Anyone who is concerned about their personal data should contact the company first. If they are still not satisfied they can bring their concerns to the ICO.”

We have approached One Call on numerous occasions for comment.