A cyberattack on a telematics company has left British prison vans without tracking systems or panic alarms, although there is no evidence criminals have attempted to exploit the situation.

Microlise, the directly impacted company, informed the London Stock Exchange of the incident last week although it did not provide details of the knock-on impact to customers.

In an updated statement on Wednesday, Microlise confirmed that the attackers may have accessed employee data but said it is “confident that no customer systems data has been compromised.”

Microlise added it “has been bringing services back online and currently expects this to continue over the coming days with the services essentially back to normal by the end of next week.”

Among its customers is Serco, an outsourcer that operates prisoner escort services for the Ministry of Justice. According to the Financial Times newspaper, Serco staff were informed on Monday that “vehicle tracking, panic alarms, navigation and notifications related to estimated arrival times” were disabled due to the Microlise incident.

The Ministry of Justice declined to comment. It is understood that officials regard the incident as having no operational impact on the British prisoner escort service.

While the supply-chain incident highlights the risks that attacks on third-party suppliers can pose, there is no suggestion that the attackers in this incident understood the connection between Microlise and Serco’s prisoner transportation.

The British government is currently trialing a pilot project to secure supply chains through its Cyber Essentials certification scheme, which will initially see the country’s largest banks introduce the security standards into their supplier requirements.

Other critical infrastructure operators and public sector contractors may be similarly obliged to introduce supplier requirements under the government’s forthcoming Cyber Security and Resilience Bill, which is expected to be introduced to parliament next year.