View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 5, 2023updated 07 Jun 2023 1:21pm

British Airways, BBC and Boots all hit in Zellis cyberattack exploiting MOVEit vulnerability

Russian cybercriminals Cl0p are said to be behind the breach which has impacted some of the UK's biggest businesses.

By Claudia Glover

British Airways (BA), Boots and the BBC have been affected by a cyberattack on payroll company Zellis, with personal details on thousands of employees apparently exposed. The criminals behind the breach, thought to be Russian ransomware group Cl0p apparently exploited an ongoing vulnerability in file transfer software MOVEit Transfer.

Numerous customers of the payroll software company, including BA, were hit by ransomware attacks. (Photo by Ceri Breeze/Shutterstock)

At least eight of the cloud payroll software company Zellis’s customers have fallen victim to this attack, the company has confirmed. It claims to be the “market leader” in outsourced payroll services across the UK and Ireland, working with a third of the FTSE 100 businesses and processing more than 60 million payslips a year.

British Airways: confirmed victim of cyberattack on Zellis

One of the affected companies is British Airways, which has written to thousands of its employees, as anyone who is paid in the UK may have been impacted by the cyberattack.

The letter warns of a “cybersecurity incident which has led to the disclosure of personally identifiable information (PII) about colleagues paid through British Airways’ payroll in the UK and Ireland.”

This information appears to include names, addresses, national insurance numbers and banking details.

A spokesperson for BA said: “We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit. Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.”

Boots employees have seen elements of their personal data compromised, including names, employee numbers, dates of birth, email addresses, NI numbers and the first lines of their house addresses. 

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

A spokesperson for Boots said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures,” they said.

It has also been reported that the BBC has fallen victim to the hack. Tech Monitor has contacted the corporation for comment.

What happened in Zellis cyberattack?

The attack originated from Zellis’s use of the MOVEit Transfer file transfer software, which has a critical vulnerability that has been exploited by hackers for several weeks. Using this as an entry point, the hackers were able to access information on Zellis customers.

A statement from Zellis said. “Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”

The company has notified the Information Commissioner’s Office, the Data Protection Commission and the National Cybersecurity Centre in both the UK and Ireland.

The widespread nature of these attacks is a reminder to all companies to shore up their software supply chain security as a matter of urgency, says John Shier field CTO at cybersecurity company Sophos.

“This latest round of attacks is another reminder of the importance of supply chain security. While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well,” Shier says. “Any organization that is using or has supply chain partners that use the MOVEit Transfer product need to patch immediately and investigate for potential compromise.

Cl0p gets the blame for exploiting MOVEit Transfer flaw

MOVEit Transfer is widely deployed by businesses in the US and the UK, so the vulnerability in its system is posing serious problems for many tech leaders. There had been 2,500 instances of the MOVEit Transfer vulnerability being exploited by the end of May, according to security company Rapid7.

Today Microsoft announced that the perpetrator behind these persistent attacks is a group called Lace Tempest, known for running the dark web victim blog ransomware gang Clop.

The gang has also perpetrated other high-profile attacks such as print management company PaperCut and the attack on security company Fortra, which saw the data of 63,000 children compromised.

Cl0p has previously been known to wait some weeks before coming forward to claim their attacks. “We deliberately did not disclose your organization, we wanted to negotiate with you and your leadership first,” reads a Clop ransom note reportedly sent during the GoAnywhere extortion attacks.

Read more: Ransomware gang Snatch claims attack on Briars Group

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU