A recent global cyber attack has compromised personal information of employees in various companies, including British Airways and Boots, due to a flaw in a software called MOVEit Transfer. The software is used by thousands of companies worldwide to transfer files, and hackers exploit this flaw to gain access to sensitive data. According to The Telegraph, the cyber attack has suspected links to a Russian-speaking cybercrime gang called Clop.
The UK’s leading payroll provider, Zellis, has confirmed that eight of its customers have been impacted by the global issue, which may have exposed personal information including names, addresses, and banking details. Boots, a pharmacy chain, has also confirmed that it made its staff aware of the data vulnerability, which it said was affecting many companies globally. The company stated that a third-party software used by one of its payroll providers included some of its team members’ personal details.
British Airways, which has around 34,000 people employed in the UK, has also confirmed that it was one of the companies affected by the cyber attack. The company has notified those colleagues whose personal information has been compromised to provide support and advice. Both British Airways and Zellis have reported the incident to the Information Commissioner’s Office (ICO), the UK’s data protection regulator.
The BBC is also understood to have been affected by the incident via Zellis. The company stated that it took immediate action once it became aware of the incident, disconnecting the server that utilizes MOVEit software and engaging an external security incident response team to assist with forensic analysis and ongoing monitoring. Zellis employs robust security processes across all of its services, and they continue to run as normal.
This incident comes after outsourcing firm Capita was recently affected by a cyber attack that saw some customer, supplier, and staff data accessed by hackers. Capita faces a bill of up to £20 million to deal with the incident, including for recovery and remediation costs, and to invest in reinforcing its cybersecurity defenses.
The hack has raised concerns about the security of personal data, particularly for companies that rely on software vulnerabilities to transfer files. British Airways, which suffered a similar data hack in 2018, was fined £20 million by the ICO after investigators found it should have identified the security weaknesses that enabled the attack. The company had previously notified around 429,612 customers and staff that their personal data may have been accessed by hackers.
The incident highlights the importance of cybersecurity measures, including regular software updates and employee training to prevent and respond to cyber-attacks. Companies should also ensure that they have robust incident response plans in place to minimize the impact of a cyber attack on their operations and reputation.