arrow_upward

IMPARTIAL NEWS + INTELLIGENT DEBATE

search

SECTIONS

MY ACCOUNT

British Airways, BBC and Boots staff have data stolen in cyber breach

Staff have been warned the breach may have exposed personal data including names, addresses, national insurance numbers and banking details

Article thumbnail image
British Airways staff celebrate their centenary year in 2019 (Photo: Max Mumby/Indigo/Getty)
cancel WhatsApp link bookmark Save
cancel WhatsApp link bookmark

The BBC, British Airways and Boots have warned staff that swathes of personal data were stolen in a massive cyber attack on their payroll provider.

Zellis, which also provides payroll services for the NHS and Jaguar Land Rover, confirmed on Monday that staff of eight companies had been affected by the breach, in which hackers exploited a vulnerability in a third-party file transfer system, MOVEit.

The firm did not identify all of the companies targeted, but the BBC, British Airways and Boots all confirmed they were hit.

The Information Commissioner’s Office said it is aware of the incident and is “assessing the information provided.”

British Airways wrote to staff members paid in the UK on Monday to confirm the incident, thought to have exposed personal data including names, addresses, national insurance numbers and banking details.

A BA spokesperson said: “We have been informed that we are one of the companies impacted by Zellis’s cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.

“Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.

“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”

A Boots spokeswoman confirmed “some of our team members’ personal details” had been exposed in the breach “and as a priority we have made our team members aware” – while the BBC said it was “aware of a data breach” and “working closely” with Zellis.

A spokesman for Zellis said: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.

“All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.”

Martin Riley, director of managed security services at security firm Bridewell told i the attack was linked to a notorious Russian ransomware group that makes money through extortion, adding: “This group has been known to target this particular software several times over the last five years.”

But he said the vulnerability thought to have been used is new – and had not been identified publicly prior to a disclosure last week.

Mr Riley said it was “absolutely a possibility” the vulnerability has been used for other attacks yet to come out, adding: “We don’t yet know how long the attacker has been inside the infrastructure… there is still a lot of information to come out.”

He said that the data is likely to be used for extortion – but could be maliciously leaked or sold onwards to potential fraudsters if this fails.

If financial data is leaked, Mr Riley said: “I would be speaking to my bank as soon as possible to notify them of the breach and put in place heightened controls around fraudulent activity. That could even be as drastic as closing your account and setting up a new one with a new bank.”

He said that Zellis and the companies risk potentially enormous consequences if the ICO find them at fault for the breach, adding: “They’re more than aware of what the financial impacts may be for them.

“4 per cent of global revenues could be the maximum penalty for any of those organisations, so it could have significant commercial ramifications for industries that to some degree are still struggling from Covid.”

John Shier of cybersecurity firm Sophos said the latest round of attacks “is another reminder of the importance of supply chain security” as organisations face consequences from a supplier’s use of the third-party tool.

He added: “Exploited vulnerabilities are the number one root cause of ransomware attacks, so any organization that is using or has supply chain partners that use the MOVEit Transfer product need to patch immediately and investigate for potential compromise.”

Progress Software Corp, which makes MOVEit, disclosed the vulnerability last week and said it “could lead to potential unauthorized access into users’ systems”.

A MOVEit spokesperson said: “Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps.

“We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.

“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability.

“We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.”

EXPLORE MORE ON THE TOPICS IN THIS STORY

BBC
  翻译: