Employers including the BBC, Boots and British Airways have been affected by a cyberattack that may have seen hackers steal employees’ personal data including national insurance numbers, dates of birth and home addresses.
Last week, hackers from the ransomware group Clop stole data from users of the MOVEit Transfer file-sharing tool.
One of the firms that have been affected is Zellis, which provides payroll services to a number of UK employers. According to reports, eight Zellis customers have seen their data compromised.
Zellis said in a statement: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.
MOVEit cyberattack
Dozens of employers affected by Capita data breach
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring. We have also notified the ICO, DPC, and the NCSC in both the UK and Ireland. We employ robust security processes across all of our services and they all continue to run as normal.”
The BBC said it did not believe its employees’ bank details had been stolen, although employee ID numbers and national insurance numbers were compromised.
A BBC spokesperson said: “We are aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”
BA said it has reported the incident to the Information Commissioner’s Office. It said in a statement: “We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit. Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.
“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”
A Boots spokesperson said: “A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members’ personal details.
“Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware.”
The National Cyber Security Centre said it was working to fully understand the impact of the MOVEit cyberattack on the UK.
“The NCSC strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates,” it said.
Christine Sabino, legal director at law firm Hayes Connor, said the group involved in the attack may attempt to extort the employers affected.
She said: “Digital extortion is an act employed by cybercriminals which involves coercing individuals or companies into paying a ransom to regain access to stolen cyber assets.
“Personal information, even in small fragments like names, dates of birth, or national insurance numbers, can lead to identity theft, resulting in financial losses, and reputational damage.
“However, in this case, where there’s a combination of data shared, the risk is maximised for the employees whose data has been exposed.
“It is clear many of the companies involved are taking the incident very seriously, as communication lines with employees affected have already been quite open. That said, for those affected, this will no doubt be a very stressful time, so seeking the support of experts to help mitigate the damage is advised.”
MOVEit’s software maker Progress Software Corporation has made fixes available since it discovered the vulnerability on 28 May.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
Zellis was formed following Bain Capital’s acquisition of the UK and Ireland division of NGA HR in 2018, which was part of the larger company Northgate Information Solutions.
Latest HR job opportunities on Personnel Today
Browse more human resources jobs