British Airways, Boots and the BBC are investigating the potential theft of staff members’ personal details after they were hit by a cyber-attack attributed to a Russia-linked criminal gang.
BA confirmed that it was one of the companies affected by the hack, which targeted software called MOVEit used by Zellis, a payroll provider.
“We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit,” said a spokesperson for the airline.
An email sent to BA staff told employees that compromised information included names, addresses, national insurance numbers and banking details, according to the Daily Telegraph, which first reported the hack.
Boots said that “some of our team members’ personal details” had been affected by the hack. The Telegraph reported that staff had been told that data involved in the attack included names, surnames, employee numbers, dates of birth, email addresses, the first lines of home address and national insurance numbers.
A BBC spokesperson also confirmed that the broadcaster had been affected. The BBC believes the breach does not include staff bank details.
“We are aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures,” they said.
Zellis said customers around the world had been hit by a vulnerability in MOVEit, a file transfer system used by the company.
“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them,” it said, adding that the UK data watchdog and the National Cyber Security Centre had been informed.
Rafe Pilling, director for threat research at US cybersecurity firm Secureworks, said the attack was likely carried out by an affiliate of the cybercriminal gang behind a piece of ransomware called Clop, as well as a related website where stolen data is advertised. Pilling said the entity behind Clop was a Russian-speaking “established cybercrime group”.
after newsletter promotion
Pilling added that victims of the hack should expect to be contacted and asked for money for the return of any stolen data.
“Victims will be contacted and if they refuse they will probably be listed and published on the Clop site,” he said.
In a tweet on Sunday, Microsoft’s threat intelligence team attributed the attacks to a group it called Lace Tempest. It said the group was “known for ransomware operations & running the Clop extortion site”. It added: “The threat actor has used similar vulnerabilities in the past to steal data & extort victims.”
