British Airways (BA), Boots and the BBC have been affected by a cyberattack on payroll company Zellis, with personal details on thousands of employees apparently exposed. The criminals behind the breach, thought to be Russian ransomware group Cl0p apparently exploited an ongoing vulnerability in file transfer software MOVEit Transfer.
At least eight of the cloud payroll software company Zellis’s customers have fallen victim to this attack, the company has confirmed. It claims to be the “market leader” in outsourced payroll services across the UK and Ireland, working with a third of the FTSE 100 businesses and processing more than 60 million payslips a year.
British Airways: confirmed victim of cyberattack on Zellis
One of the affected companies is British Airways, which has written to thousands of its employees, as anyone who is paid in the UK may have been impacted by the cyberattack.
The letter warns of a “cybersecurity incident which has led to the disclosure of personally identifiable information (PII) about colleagues paid through British Airways’ payroll in the UK and Ireland.”
This information appears to include names, addresses, national insurance numbers and banking details.
A spokesperson for BA said: “We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit. Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.”
Boots employees have seen elements of their personal data compromised, including names, employee numbers, dates of birth, email addresses, NI numbers and the first lines of their house addresses.
A spokesperson for Boots said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures,” they said.
It has also been reported that the BBC has fallen victim to the hack. Tech Monitor has contacted the corporation for comment.
What happened in Zellis cyberattack?
The attack originated from Zellis’s use of the MOVEit Transfer file transfer software, which has a critical vulnerability that has been exploited by hackers for several weeks. Using this as an entry point, the hackers were able to access information on Zellis customers.
A statement from Zellis said. “Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”
The company has notified the Information Commissioner’s Office, the Data Protection Commission and the National Cybersecurity Centre in both the UK and Ireland.
The widespread nature of these attacks is a reminder to all companies to shore up their software supply chain security as a matter of urgency, says John Shier field CTO at cybersecurity company Sophos.
“This latest round of attacks is another reminder of the importance of supply chain security. While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well,” Shier says. “Any organization that is using or has supply chain partners that use the MOVEit Transfer product need to patch immediately and investigate for potential compromise.
Cl0p gets the blame for exploiting MOVEit Transfer flaw
MOVEit Transfer is widely deployed by businesses in the US and the UK, so the vulnerability in its system is posing serious problems for many tech leaders. There had been 2,500 instances of the MOVEit Transfer vulnerability being exploited by the end of May, according to security company Rapid7.
Today Microsoft announced that the perpetrator behind these persistent attacks is a group called Lace Tempest, known for running the dark web victim blog ransomware gang Clop.
The gang has also perpetrated other high-profile attacks such as print management company PaperCut and the attack on security company Fortra, which saw the data of 63,000 children compromised.
Cl0p has previously been known to wait some weeks before coming forward to claim their attacks. “We deliberately did not disclose your organization, we wanted to negotiate with you and your leadership first,” reads a Clop ransom note reportedly sent during the GoAnywhere extortion attacks.