Top brands including British Airways, Boots and the BBC must brace themselves for “potential extortion, publication of stolen data, and victim shaming” in the wake of the major global hack attack which has affected UK-based payroll provider Zellis.
A Russian-speaking ransomware group named Clop has already claimed responsibility for the data breaches of Progress Software file transfer suite MOVEit. The incident has exposed employee data, including bank and contact details.
In an email to Reuters, the hackers said “it was our attack” and that victims who refused to pay a ransom would be named and shamed on the group’s website.
Thousands of firms are understood to be affected and, while Zellis has confirmed that eight of its clients were among them, it has not named the organisations. However, BA, Boots and the BBC have since confirmed they have been affected by the hack.
A Boots spokesperson said: “A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members’ personal details.
“Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware.”
BA said: “We have been informed that we are one of the companies impacted by Zellis’s cybersecurity incident which occurred via one of their third-party suppliers called MOVEit. Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.
“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”
The airline was at the centre of one of the most notorious GDPR enforcement cases to date, when it revealed in September 2018 that its security systems had been hacked, leading to over 420,000 customers and staff having their personal data leaked.
Following what it claimed was an extensive investigation, the UK Information Commissioner’s Office issued a “notice of intent” on July 8 2019 to fine the airline £183m. However, following months of legal wrangling, BA secured a reduction of nearly 90% to £20m which it paid in instalments.
Zellis said in its own statement: “A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product.
“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”
Even so, Mandiant Consulting chief technology officer Charles Carmakal said: “At this stage it is critical for victim organisations to prepare for potential extortion, publication of stolen data, and victim shaming. It is likely that the threat actor will soon begin to make contact with extortion demands and begin to work through their list of victims.
Carmakal said his company’s investigations into prior campaigns from Clop show that extortion demands are usually in the 7- or 8-figure range, including a few demands for more than $35m.
He added: “Any organisation that had the MOVEit web interface exposed to the Internet should perform a forensic analysis of the system, irrespective of when the software was patched. Watch out for scammers too. Some of our clients impacted by the MOVEit exploitation received extortion emails over the weekend.
“The extortion emails were unrelated to the MOVEit exploitation and were just scams, but organisations could easily confuse them as being authentic.”
The ICO has yet to comment on the incident, although it did recently reveal that over 90 organisations had reported themselves to the regulator over the separate mass data breach at outsourcing giant Capita, whose clients include financial services giants Aviva and Phoenix Group as well as public sector and government departments.
ICO inundated with reports over Capita data breach
KFC owner warns customers over potential data theft
Royal Mail ransom demands ‘hold lessons for all firms’
Firms suffer as Royal Mail fails to lift block on new post
Tech security staffer gets 5 years for ransomware spree
Wakey, wakey: Data breaches cost UK firms £4bn a year
Under siege: Marketers’ favourite password is ‘123456’