Boots, BA, BBC staff hit by cyber attack on payroll provider
The personal details of thousands of British Airways, BBC and Boots may have been stolen after a suspected Russia-linked cyber attack on the firms' payroll systems provider, according to a media report on Monday.
BA has emailed many of its 34,000-strong workforce warning them of a “cyber security incident which has led to the disclosure of personal information about colleagues paid through British Airways’ payroll in the UK and Ireland”.
It warned that the compromised information includes names, addresses, national insurance numbers, banking details and other information after a hack on payroll provider, Zellis.
Boots has emailed employees saying that staff’s names, surnames, employee numbers, dates of birth, email addresses, the first lines of their home address and national insurance numbers have been affected. It said a “very small number” of employees may have had other data compromised.
A BBC spokesman confirmed the broadcaster was also affected: “
Zellis provides payroll services to a large number of major companies including the NHS and Jaguar Land Rover. The hack has affected eight of its customers, the paper cited an unnamed source as saying.
Security researchers said the cyber attack appeared to be linked to a Russian-speaking cybercrime gang called Clop. Hackers have exploited a backdoor in a piece of software used by Zellis called MOVEit, which is used to transfer files.
Progress Software, the maker of MOVEit, first identified the vulnerability last week. It told customers to “take immediate action” and delete any unauthorised user accounts added by hackers.
Rafe Pilling, a principal researcher with cyber security company Secureworks, said his Counter Threat Unit team had observed the Russian-speaking Clop gang targeting vulnerable servers over the past few days, adding that the same gang was likely behind the British Airways and Boots attack.
A spokesman for Zellis said: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate."
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring. We have also notified the ICO, DPC, and the NCSC in both the UK and Ireland."
A spokesman for BA said: “We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit. Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.
“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”