Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Serco’s tracking devices and panic alarms on prison vans were disabled after a cyber attack last week on a service provider for the UK outsourcing giant.
In an incident that also affected the operations of DHL, hackers targeted Aim-listed Microlise, whose tracking software provides protection for Serco employees and prisoners, ensuring their whereabouts are known at all times.
Microlise notified the London Stock Exchange about the attack on October 31, saying it was “working hard to quickly bring the affected services back online” but it did not name its affected corporate customers.
Serco operates prisoner escort and custody services for the Ministry of Justice. It is the company’s largest services contract of this kind with more than 300,000 prisoner movements under its charge each year.
Some Serco crews were unaware that vehicles were still being used to transport prisoners for three days after the attack despite continuing software faults, according to a person familiar with the matter.
The vehicles were sent out “without tracking or proper alarms and no security for staff”, the person said.
Serco said: “We are aware that one of our subcontractors has been impacted by a cyber incident. We have put in place mitigation plans and we have continued to provide prisoner escorting services uninterrupted for the Ministry of Justice.”
Serco declined to comment further.
The cyber attack comes as the prison system in England and Wales is already in crisis. The Labour government has released thousands of prisoners early to ease overcrowding and has promised to invest in the probation service, which is also overstretched.
Serco, which has dozens of contracts with the UK government in security, asylum accommodation and prisons, has come in for criticism recently after failing to tag some offenders released early to ease overcrowding in jails.
Serco has previously said it was “working hard to reduce the number of people waiting to have a tag fitted”.
The London-listed company was also previously investigated by the Serious Fraud Office for overcharging the government on an offender electronic tagging contract.
Serco agreed to pay a fine of £19.2mn plus costs as part of a settlement deal over the scandal.
In a notice to staff sent out on Monday and seen by the Financial Times, Serco said that vehicle tracking, panic alarms, navigation and notifications related to estimated arrival times had all been “unavailable” as a result of the Microlise outage.
Fleet-tracking systems can enhance driver safety by monitoring for speed violations, sudden braking, or rapid acceleration, according to Microlise.
Serco’s contingency plans outlined in the notice to staff included ensuring mobile phones were charged, vehicle crews were in contact with bases every 30 minutes and staff were supported with “the use of paper maps and guidance”.
“It is apparent that there are a number of staff concerns surrounding the safety of staff and custodies in our care, due to the Microlise outage that we are currently experiencing across the business,” the notice said.
The Microlise board had appointed external cyber security specialists to establish the nature and extent of the incident, the company said.
International express mail courier DHL was also affected by the Microlise attack, leaving some of DHL’s fleets without tracking capabilities last week.
The company’s tracking services provided by Microlise were reportedly hit on October 31, with deliveries to Nisa stores impaired.
DHL confirmed it was affected by the Microlise outage. It did not immediately provide further comment.
Microlise said: “Some of our systems have now been restored and we are continuing to safely and securely complete restoration across all affected systems.”
“Throughout this process our internal incident team has been working closely with external cyber security experts to resolve this incident,” it added.
The MoJ declined to comment.
