BA, Boots and BBC among companies targeted in cyberattack
Ransomware group Clop claims it is behind the mass hack
A wide-ranging breach centred on the popular file transfer tool MOVEit has impacted a growing number of organisations, including British Airways, Boots, and BBC.
According to the three companies, the breach occurred at their payroll provider, Zellis.
On Monday, Zellis confirmed that some of its clients were affected by the breach, although it did not disclose the names of the victims.
"We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them," Zellis said in a statement.
"All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.
"Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring."
British Airways (BA) confirmed that it was affected by the cyber incident.
"We have been informed that we are one of the companies impacted by Zellis's cybersecurity incident which occurred via one of their third-party suppliers called MOVEit," BA told Sky News.
"Zellis provides payroll support services to hundreds of companies in the UK, of which we are one."
The company says it has notified the employees affected by the incident and is offering them support.
In an email sent to the staff, BA reportedly revealed that the compromised information included employee names, addresses, banking details and national insurance numbers.
Boots, which is a part of Walgreens Boots Alliance, has stated that the attack included personal details of some of its employees.
The BBC has indicated that the breach does not encompass staff bank details. The corporation has stated that it is collaborating with Zellis in their investigation to determine the extent of the breach.
Boots employs a workforce of over 50,000 individuals in Britain. BA has approximately 30,000 staff members, and the BBC employs over 21,000 people.
The breaches have been claimed by the Clop ransomware group.
In an email to Reuters on Monday, the hackers explicitly stated that "it was our attack" and issued a warning that victims who declined to pay the ransom would be publicly named and shamed on the group's website.
MOVEit Transfer, developed by Progress Software, is a managed file transfer (MFT) solution designed to facilitate secure file transfers between businesses, partners, and customers. It supports various protocols such as SFTP, SCP and HTTP-based uploads to ensure the safe exchange of files.
Last week, reports emerged that threat actors were exploiting a zero-day vulnerability in MOVEit Transfer servers to carry out data theft from organisations.
As per BleepingComputer, the attackers took advantage of the zero-day by deploying customised web shells on servers. These web shells enabled them to retrieve a list of stored files, then download files and pilfer credentials associated with configured Azure Blob Storage containers.
On Sunday, Microsoft stated it believed that the group responsible for the hacks is "Lace Tempest," which is the nickname attributed to the online extortionists operating the Clop ransomware site.
"Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site," Microsoft said.
"The threat actor has used similar vulnerabilities in the past to steal data and extort victims," it added.
In a statement released on Monday, MOVEit said that it had addressed the vulnerability exploited by the hackers.
The company also mentioned that it is collaborating with experts to thoroughly investigate the issue and implement all necessary response measures to mitigate the impact of the breach.
"This situation represents a common occurrence of a supply chain attack that aims at multiple companies simultaneously, compromising highly sensitive employee data," Jake Moore, global cybersecurity advisor at ESET, said.
"It is crucial for all affected companies to have already installed the essential security patch in order to maintain adequate protection."
Alexander Heid, chief research and development officer with cybersecurity ratings and risk management company SecurityScorecard, said: "This incident highlights the risk that a single vulnerability in widely used third-party enterprise software can pose to the digital supply chain."
"We recommend removing vulnerable instances of MoveIT from the public internet until a patch is implemented. While MoveIT has since released updates to rectify the vulnerability, this incident serves as a stark reminder of the need for continuous vigilance and proactive measures in cybersecurity, particularly in the realm of third-party vendor risk management."