Zellis Security Breach: British Airways, BBC and Boots Employee Data Exposed

Ellis Stewart

05/06/2023 04:57 PM

Zellis cyber attack involcing british airways, bbc, and boots

British Airways (BA), Boots and BBC staff are among thousands whose bank details and sensitive data have been compromised in a security breach involving the payroll firm Zellis.

BA told its 34,000 employees on Monday morning that they were among those caught up in the cyber incident involving a zero-day vulnerability in the third-party software MoveIT, used by Zellis to transfer files.

The vulnerability allowed hackers to access sensitive data belonging to companies using the MOVEit transfer software, which may include hundreds of companies across the UK and thousands globally.

"We have been informed that we are one of the companies impacted by Zellis' cybersecurity incident which occurred via one of their third-party suppliers called MOVEit," BA said in a statement on Monday.

"Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.

"This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice."

Part of the Walgreens Boots Alliance, pharmaceutical firm Boots has also confirmed that it has been affected by the cyber incident.

In its own statement, the high-street drugs store said: "A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members' personal details.

"Our provider assured us that immediate steps were taken to disable the server, and as a priority, we have made our team members aware."

A ‘global issue’

The attack was reportedly orchestrated by a prolific Russian cyber-crime gang known as Clop. The hacker group is known for extorting industrial organisations with ransomware attacks.

The cyber-criminal group typically leak some of the material they steal on the dark web if their ransom demands are not met.

The compromised data is reported to include banking details and personal data including employee names, addresses, and national insurance numbers.

Cool, cool. Just a massive data breach of BBC staff details by IBM contractor Zellis pic.twitter.com/7mBGtS6ZlH

— Colin George (@ColinGeorgeBBC) June 5, 2023

It is yet to be known how many companies may be been affected by the security breach, but Zellis said in its own statement that "a large number of companies around the world have been affected by the MoveIT vulnerability.

"Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring."

"We can confirm that a number of our customers have been impacted by this global issue and we are actively working to support them”

"All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.

Supply Chain Vulnerabilities in the Spotlight

Zellis was first informed of the attack last Thursday when researchers in the US first rang the alarm of data theft and the company revealed it had discovered a security flaw.

Like many other breaches in recent years, the attack involved a third-party supplier’s security flaw, which is increasingly becoming the entry point of choice for hackers.

Erfan Shadabi, a cybersecurity expert at Comforte AG, said that the incident highlights critical security risks that organisations face through their supply chain.

“By relying on external suppliers, organisations expose themselves to potential breaches and data compromises if proper security measures are not in place.”

Erfan Shadabi, Cybersecurity Expert at Comforte AG

“Third-party supply chain relationships have become a prime target for malicious actors seeking to exploit vulnerabilities in interconnected systems. This incident serves as a reminder that the security of an organization's data is only as strong as its weakest link.”

Jamie Akhtar, CEO and co-founder, CyberSmart agrees. He warns urges businesses to address their supply chain dependencies:

The goal is to have an understanding of your network of suppliers so that cyber risks can be managed and responded to effectively. If you’re unsure of where to start, the NCSC’s guidance is a great jumping-off point.”

Today’s business leaders must respond to more risks than ever before yet at the same time innovation is seen as an imperative and there can be no innovation without risk. Organisations are utilising advanced technologies like never before to help manage their regulatory compliance needs, drive efficiencies, and improve user engagement, data quality and analytics.

Risk is now everyone’s business and business leaders need to be tech-savvy and understand how GRC technology fits into the business strategy as well as solving regulatory challenges.

Taking place on 6th & 7th June 2023, #RISK DIGITAL EU Focus will examine the changing risk landscape in a content-rich, knowledge-sharing environment. Attendees will be able to learn and better understand how to mitigate risks, reduce compliance breaches, and improve business performance.

REGISTER NOW and learn how to stay ahead of the curve.