British software company Microlise confirms hackers compromised corporate data

Microlise, the Nottingham-based telematics business, confirmed on Monday that hackers compromised corporate data from its headquarters during a cyberattack three weeks ago.

The attack on Microlise had knock-on effects on the company’s customers, including leaving British prison vans without functioning tracking systems or panic alarms.

In a statement to the London Stock Exchange, Microlise said “the vast majority of customer systems are back online, with some remaining customers conducting their own security verifications before enabling users.”

The company stressed that “no customer systems data was compromised” although it said it has “notified international authorities regarding the exfiltration of corporate data from its HQ and continues to work with law enforcement regarding the incident.”

Microlise had previously told the stock exchange that “some limited employee data has been impacted by the incident.” 

The company has 463 employees based at its headquarters and 287 staff based in other offices in France, Australia and India. No figure has been given for the number of individuals impacted by the breach.

The company’s board said it does not anticipate any material adverse impact to its trading forecasts and financial position for this financial year. Shares were up 2.38% as of publication.

At the time the disruption to prison van tracking was reported, the Ministry of Justice declined to comment, although it is understood that officials regarded the incident as having no operational impact on prisoner escort services.

While the supply-chain incident highlights the risks that attacks on third-party suppliers can pose, there is no suggestion that the attackers understood the connection between Microlise and Serco, the prisoner transportation company.

The British government is currently trialing a pilot project to secure supply chains through its Cyber Essentials certification scheme, which will initially see the country’s largest banks introduce the security standards into their supplier requirements.

Other critical infrastructure operators and public sector contractors may be similarly obliged to introduce supplier requirements under the government’s forthcoming Cyber Security and Resilience Bill, which is expected to be introduced to parliament next year.