British Airways, Boots and the BBC on Monday confirmed they had been affected by a “cyber security incident” involving their payroll provider which has affected some of the UK’s best-known names.
BA said the incident at Zellis, its payroll provider, was the result of a “new and previously unknown vulnerability” in a file transfer tool developed by a company called MOVEit.
“We have notified those colleagues whose personal information has been compromised to provide support and advice,” BA said.
Boots confirmed it had also been hit.
The retailer said: “Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware.”
The BBC confirmed that it too had been affected by the cyber attack. The national broadcaster, which employs about 20,000 people, has also alerted staff to the potential breach.
People familiar with the BBC’s internal response said that they did not believe the data breach included bank account details, but were working with Zellis to find out more about the cyber attack.
The BBC said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”
The effect on the companies was first reported by the Daily Telegraph.
Zellis said a “small number” of its customers had been affected by the “global issue”. It was working to support them, it said, adding that the issue was with software from MOVEit, not Zellis.
“All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate,” it said.
A person close to the company indicated that only eight customers had suffered issues.
“Once we became aware of this incident, we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,” Zellis said.
The hackers appeared to have exploited a recently disclosed vulnerability in the widely used MOVEit software, made by Progress, a company based in Burlington, Massachusetts. The software is designed to help move data securely, but on May 31, the company informed customers that its software had an unknown weakness, called a Zero Day, that allowed hackers to access that data and manipulate it.
In some instances, a technology administrator familiar with the vulnerability told the Financial Times, hackers were able to add new users for persistent access to the data. Progress said the breaches had been observed in May, and suggested tweaks to the settings on their software to cut off data leaks while awaiting a more effective update.
Google-owned Mandiant, which regularly provides an emergency response in such scenarios, said that based on previous experience it was likely that customers of the software would soon start receiving ransomware requests demanding payments to prevent the release of all the stolen information.
It attributed the breaches to a previously unknown group that had affected organisations operating in “a wide range of industries based in Canada, India and the US”.
Such vulnerabilities are often shared within criminal gangs, mostly based in Russia, meaning that they could have been exploited by various groups of hackers in recent weeks.
Zellis said it had informed the UK Information Commissioner’s Office, the director of public prosecutions and the National Cyber Security Centre, as well as their equivalents in Ireland.
“We employ robust security processes across all of our services and they all continue to run as normal,” the company said.