Advisor to Brit tech contractors Qdos confirms client data leak – Source: go.theregister.com

Updated Business insurance and employment status specialist Qdos has confirmed that an intruder has stolen some customers personal data, according to a communication to tech contractors that was seen by The Register.

Qdos yesterday emailed clients on its database to confirm a “recent data security incident affecting one of our web applications: mygoqdos.com, that may have involved data relating to you and your business.”

It says it was alerted to the issue on June 19 and launched a probe with the help of third party cyber security expert.

“Whilst we can confirm that this was not a ransomware attack, our investigation determined an unauthorized third party was able to access and download certain data from the web application, including some personal customer information and documents relating to customer insurance policies and IR35 services,” the email says.

The Information Commissioner’s Office, the Financial Conduct Authority, Action Fraud and the National Cyber Security Centre were notified as part of Qdos’s security management efforts.

The email to customers said that credit card information and other identification documents including customers’ passports or drivers licenses are not collected or stored, and “information provided with respect to claims against insurance policies has also not been impacted.”

“We can’t confirm exactly what data or documents were accessed or downloaded for customers individually,” it said, “but it is possible that documents related to insurance policies, IR35 services (contracts, contract reviews or IR35 calculations; and documents pertaining to purchases such as invoices and credit notes were accessed.”

Personal data from customers’ account[s] including name, correspondence address (or registered business address) email address and contact may also be affected, the communication states.

Contractors were assured policies “remain in full effect and have not been impacted in any way” and claims and use of online accounts to manage policies, renewal and new applications are not impacted.

In a statement to The Register, Qdos CEO Seb Maley said:

• UK government faces calls to end IR35 double tax anomaly
• How important are tech and other contractors to UK? PM candidate promises tax review if elected
• HMRC: Contractors, don’t worry about IR35 reforms in private sector ‘cos it all went so well in public sector
• Umbrella company Parasol Group confirms cyber attack as ‘root cause’ of prolonged network outage

“The security of your data is important to us, and we are offering you 12 months of free identity monitoring services, provided by Experian, one of the UK’s leading Credit Reference agencies. Experian’s IdentityWorksSM service monitors the web, social networks and public databases on your behalf 24/7, looking for your details to immediately detect theft, loss or disclosure of your vital personal and financial information,” Qdos says in the email.

It advises: “Be especially vigilant against suspicious activity, including suspicious emails, phone calls or text messages.”

We have asked the ICO, the FCA and NCSC to comment. ®

Updated at 13.56 UTC on July 25, 2025, to add:

Hours after the publication of this article, the ICO made contact to confirm: “We are aware of an incident and are currently making enquiries.”

The Commissioner’s on the case. Phew.

Updated at 14.43 UTC on July 25, 2025, to add:

The FCA told it too is paying attention. “We’re aware of the recent issues at Qdos. We are engaging closely with the firm to understand the impact and the steps being taken to address any potential harm.”