If you’re a contractor in the UK and use Qdos for insurance or anything IR35-related, here’s some news you don’t want to miss.
Qdos has confirmed a cyberattack hit one of their online platforms—mygoqdos.com—and some customer data was stolen. It happened back in June, and they’ve now started reaching out to clients to explain what went wrong.
The company says this wasn’t a ransomware attack, but someone did break in and download documents. That could include IR35 contract reviews, insurance info, your name, business address, maybe even your email.
Qdos CEO Seb Maley said to The Register: “Upon learning of the incident, we took immediate action including disabling customer access to the Qdos website as a precautionary measure while we investigated the incident.. Qdos’s investigation subsequently determined that an unauthorized third party was able to access and download certain data from one of our web applications. This involves data that our customers shared with us and notifications have been made, as appropriate.”
Qdos brought in outside cybersecurity experts, took the site offline to fix things, and reported the incident to the Information Commissioner’s Office (ICO), Financial Conduct Authority (FCA), National Cyber Security Centre (NCSC), and Action Fraud. It’s a serious situation.
What might’ve been taken
Here’s what Qdos says could be affected:
-
Your name and contact details
-
Business address (maybe your home address, if you work from there)
-
Documents tied to IR35 services — contracts, reviews, or calculations
-
Insurance stuff — invoices, credit notes, policy documents
What wasn’t affected:
-
Your card details
-
Passport or driver’s license
-
Claims info (if you’ve submitted one)
Still, this is the kind of info that’s tied to your digital identity. If it ends up in the wrong hands, it could be used in scams, phishing, or identity theft. And as a contractor, your name and your business are everything.
What is Qdos doing about this?
To their credit, Qdos acted quickly. As soon as they found out what was going on (June 19), they shut down the affected platform, fixed the issue, and had it back up by June 26.
They’re also offering 12 months of free identity monitoring through Experian, which watches the web, social media, and public records for signs your data is being used without your permission.
The ICO, FCA, and NCSC are all on the case too. Qdos says your insurance policy is still valid and your account can be used as normal for renewals or updates.
Still, they haven’t confirmed exactly which customers had what accessed, so if you’re on their platform, it’s safest to assume your info might’ve been involved and take action immediately, just in case.
What you should do now
If you’ve got an account with Qdos, don’t wait around. Here’s what you should do right now:
-
Sign up for the free Experian monitoring offer
-
Change your Qdos password, and anywhere else you reused it
-
Turn on two-factor authentication (if you haven’t already)
-
Watch for dodgy emails or messages—especially ones asking for money or account info
-
Report anything weird to Action Fraud
When you run your own business, staying on top of your cybersecurity isn’t optional anymore—it’s a very important part of the job.
Don’t way around, act now
Data breaches happen even to companies that try to do everything right. The way Qdos responded has been pretty solid: quick action, full disclosure, support from Experian, and the right authorities looped in.
But still, if your business info is floating around out there, that’s not nothing.
If you rely on Qdos for IR35 help or insurance, don’t panic… but act now. Take the free monitoring, lock down your logins, and stay alert. Because in this business, your digital identity is just as important as your next contract.