Major UK companies British Airways, BBC and Boots have been caught in a third-party data breach, as Russia-linked hackers warn to get in touch or face employee data leaks.
The three companies each confirmed they and their collective 100,000+ staff had been caught up in an unfolding cyber incident at payroll provider Zellis – which suffered data theft when hackers targeted a third-party software the company was using called MOVEit.
The losses from this trickle-on cyber attack have been significant, as the companies respectively disclosed a range of compromised employee information, including banking details and national insurance numbers.
"We have been informed that we are one of the companies impacted by Zellis’s cyber security incident, which occurred via one of their third-party suppliers called MOVEit,” said a representative for airline British Airways (BA).
As first reported by the UK’s Daily Telegraph, an email to all of BA's 34,000 staff warned names, addresses, national insurance numbers and banking details were hit during the incident.
Meanwhile, the UK's largest pharmacy chain Boots emailed its own 52,000-strong UK workforce warning of similar data theft against home addresses and national insurance numbers.
Finally, the BBC expects a majority of its 22,000 employees were affected by the hack, as a spokesperson for the broadcaster revealed it was "working closely" with Zellis to urgently investigate the extent of the breach.
Microsoft has identified the group responsible for the attack as Cl0p: a highly active ransom gang behind some of 2023's most notable data leaks, including Crown Resorts, Rio Tinto and the Tasmanian government.
Cl0p's previous string of attacks stemmed from a zero-day vulnerability in file transfer software (FTS) GoAnywhere – now, the Russia-linked gang has employed the same tactics against another FTS, MOVEit, in a hacking spree affecting Zellis and its clients.
The group launched coordinated attacks on 27 May – choosing a low-activity period during the US Memorial Day long weekend – and began with yet another zero-day vulnerability (CVE-2023-34362) found this time in a MOVEit server.
The group quickly took to stealing a mountain's worth of data from MOVEit clients, including Zellis, resulting in roll-on breaches at the likes of Boots, British Airways, and the BBC.
Ray Kelly, principal security engineer at leading software company Synopsys, gave a stark reminder on the importance of third-party security in data privacy.
"This is a significant breach that demonstrates the importance of the software supply chain when it comes to data privacy," said Kelly.
"In this incident, a single vulnerability in a piece of software run by a third-party vendor led to the compromise and exposure of personal employee data across multiple organisations that the vendor services."
Zellis was quick to downplay the severity of the attack, conceding that a "small number" of its customers had been impacted, describing the incident as a "global issue".
"All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate," read a Zellis statement.
Cl0p issues 1-week ultimatum
On Wednesday, Cl0p updated its dark web blog with a post threatening companies to email them before 14 June or face the consequence of stolen data being published.
The threat was written in scattered English and all-capital letters, laying out a range of non-negotiable steps for companies which have used MOVEit software.
"This is announcement to educate companies who use progress MOVEit product that chance is that we download alot of your data as part of exceptional exploit," read the post.
"We are to proceed as follow and you should pay attention to avoid extraordinary measures to impact you company."
The ransom group had the gall to offer penetration testing services at the top of the post, before going on to flaunt its apparent trustworthiness by stating it does as it promises, is not fiscally motivated, and shows "video proof" of data deletion.
"Call today before your company name is publish here," read Cl0p's post.
Cl0p's activity in 2023 has been marked by wide-scale, multi-industry data breaches which hone in on the common thread of third-party vendors across multiple organisations.
The gang's intentional targeting falls in line with current ransom trends, which not only indicate another year of increased victims, but more sophisticated campaigns and internal structures from prominent threat actors.
"Ransomware attacks are showing no signs of slowing down regardless of the industry," said Kelly.
"Banking, health care and even critical infrastructure as we saw in the 2021 with the Colonial Pipeline are prone to attack.
"Organisations must remain hyper vigilant when it comes to securing their environment."