Hundreds of thousands of UK workers could have key information compromised after a devastating cyber attack targeting a platform responsible for paying wages. People working for the BBC, Boots, British Airways have potentially been compromised.
A total of eight UK businesses and organisations have been impacted by the data breach at payroll platform Zellis but they have not all been named yet. Zellis is known to handle services for hundreds of companies in the UK.
One of the organisations impacted is the BBC and a spokesperson said: “We are aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach.
“We take data security extremely seriously and are following the established reporting procedures.”. The hack has suspected links to a Russian-speaking cybercrime gang called Clop, according to reports.
The incident relates to a flaw in a piece of software called MOVEit Transfer, used by thousands of companies globally to transfer files, which could be exploited by cyber criminals.
Companies using the software were urged last week to take immediate action. The UK’s leading payroll provider Zellis said that eight of its customers have been impacted by the “global issue”, which may have exposed personal information, including names, addresses, and banking details.
Boots confirmed it made its 50,000 staff aware of the data vulnerability which it said was affecting many companies around the world. A Boots spokeswoman said: “A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members’ personal details.
“Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware.” British Airways, which has around 34,000 people employed in the UK, also confirmed it was one of the companies to be caught up in the cyber attack.
“We have notified those colleagues whose personal information has been compromised to provide support and advice,” a spokesman said. A BA employee told The Mirror: “I woke up to an email to find out all my details needed to steal my identity have been stolen from my company.”
British Airways and Zellis have both reported the incident to the Information Commissioner’s Office (ICO), the firm said. Zellis said in its own statement: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.
“We employ robust security processes across all of our services and they all continue to run as normal.”
A spokesperson Progress Software, which makes MOVEit, told the Mirror it had “promptly launched an investigation” and alerted customers, before disabling web access to the tool and developing a security patch.
“We are also continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures,” a spokesperson said.
It comes after outsourcing firm and government contractor Capita was recently affected by a cyber attack that saw some customer, supplier and staff data accessed by hackers. Capita said it faces a bill of up to £20 million to deal with the incident, including for recovery and remediation costs and to invest in reinforcing its cyber security defences.
British Airways suffered a data hack in 2018, when the attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff.
It included the names, addresses, payment card numbers and the three digits on the back of cards of 77,000 customers, and card numbers only for 108,000 customers.
The airline was fined £20 million by the ICO after investigators found it should have identified the security weaknesses that enabled the attack.