The consultant’s third party payroll provider suffered a “cyber security incident” earlier this year and Arup was told of the breach last month when a specialist team started investigating the extent of the attack before telling its 6,000 staff.
Among the data compromised are first name, surname, bank account number, bank sort code, national insurance number, date of birth, gender and address.
The payroll provider was the victim of a ransomware attack, meaning files were copied and encrypted before being held to ransom in order to access the data.
The incident has been reported to the Information Commissioners Office (ICO) and has seen national law firm CEL Solicitors receive enquiries from Arup staff.
Mark Montaldo, director at CEL Solicitors said: “As cyber criminals become more sophisticated in how they access data, they are able to delve deeper into sensitive information, hacking into bank account details, national insurance numbers and addresses.
“This example of Arup’s also demonstrates how they are willing to impact a global company via a third party which, in this case, is the payroll provider”
Staff at Arup have been instructed to contact their banks and check there has been no unexpected activity.
They have also been offered free access to an identity protection service.
Montaldo added: “It is vital that, if you are employed by Arup, or have been at some point since November 2018, you contact your bank and tell them about the incident.
“Be on your guard for any unexpected activity and check your bank balance and transactions regularly. The repercussions of a hack like this may not always happen straightaway, so it is extremely important to maintain a high level vigilance.”