British Airways, Boots and the BBC confirmed on Monday that they have been hit by a “cybersecurity incident” involving their payroll that has affected some of the UK’s best-known names.
BA said the incident at Zellis, the payroll service, was a result of a “new and previously unknown vulnerability” in a file transfer tool developed by a company called MOVEit.
“We have notified colleagues whose personal information has been compromised to provide support and advice,” BA said.
Boots confirmed it was also hit.
The retailer said: “Our provider has assured us that immediate steps have been taken to shut down the server, and as a priority we have notified our team members.”
The BBC confirmed that it too was affected by the cyber attack. The national broadcaster, which employs some 20,000 people, has also warned staff about the possible breach.
People familiar with the BBC’s internal response said they did not believe the data breach contained bank account details, but that they were working with Zellis to learn more about the cyber-attack.
The BBC said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security very seriously and follow established reporting procedures.”
The effect on businesses was first reported by the Daily Telegraph.
Zellis said a “small number” of its customers were affected by the “global problem”. It worked to support them, it said, adding that the problem was with software from MOVEit, not Zellis.
“All software owned by Zellis is untouched and there are no incidents or compromises with any other part of our IT asset,” it said.
A person close to the company indicated that only eight customers had experienced problems.
“Once we became aware of this incident, we took immediate action by disconnecting the server running MOVEit software and engaging an expert remote security incident response team to assist with forensic analysis and ongoing monitoring,” Zellis said. .
The hackers appeared to have exploited a recently disclosed vulnerability in the widely used MOVEit software, made by Progress, a company based in Burlington, Massachusetts. The software is designed to move data securely, but on May 31, the company informed customers that his software had an unknown weakness called a Zero Day that allowed hackers to access and manipulate that data.
In some cases, a technology manager familiar with the vulnerability told the Financial Times that hackers could add new users for continued access to the data. Progress said the breaches were observed in May and suggested adjusting their software’s settings to patch data breaches pending a more effective update.
Google-owned Mandiant, which regularly provides emergency assistance in such scenarios, said that based on previous experience, it was likely that customers of the software would soon receive ransomware requests demanding payments to prevent the release of all stolen information.
It attributed the breaches to a previously unknown group that had affected organizations operating in “a wide range of industries across Canada, India and the US”.
Such vulnerabilities are often shared within criminal gangs, usually based in Russia, meaning they may have been exploited by different groups of hackers in recent weeks.
Zellis said it had notified the UK’s Information Commissioner’s Office, the Director of Public Prosecutions and the National Cyber Security Centre, as well as their equivalents in Ireland.
“We use robust security processes for all of our services and they all continue to work,” the company said.
