BBC, Boots, British Airways among victims of mass cyber attack
Image credit: Photo 133406130 © Stevanovicigor | Dreamstime.com
Tens of thousands of employees of private and public organisations have had their personal data exposed as a result of a wide-ranging breach of the MOVEit Transfer tool.
The hackers exploited a flaw in the MOVEit Transfer application, used by companies such as payroll provider Zellis to transfer documents. Zellis has said eight of its client firms have been affected by the breach.
Microsoft said it believed the criminals responsible are linked to the notorious Cl0p ransomware group, thought to be based in Russia. The company said the hackers responsible have used similar techniques in the past to steal data and extort victims.
The victims of the hack include private companies such as the BBC, Boots, British Airways and Aer Lingus, as well as public bodies such as the government of Nova Scotia, in Canada.
Companies affected were warned that their staff's personal data - including ID numbers, dates of birth, home addresses, national insurance numbers and, in some cases, bank details - may have been stolen. Currently, there are no reports of ransomware demands.
The news of the breach followed last week's disclosure that MOVEit had identified a flaw in the system that could have allowed hackers to breach its defences, made by the system's creator Massachusetts-based Progress Software.
Progress Software said it alerted its customers as soon as the hack was discovered and quickly released a downloadable security update. The US Cybersecurity and Infrastructure Security Agency shortly issued a warning to firms that use MOVEit, instructing them to download a security patch to stop further breaches.
On Monday, 5 June, MOVEit said it had fixed the vulnerability exploited by the hackers and was working with experts to investigate the issue "and ensure we take all appropriate response measures."
In a statement, Nova Scotia's cyber-security and digital solutions minister, Colton LeBlanc, said his residents "will have questions and we do, too."
Boots confirmed it made its staff aware of the data vulnerability, stating that: “A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members’ personal details.
“Our provider assured us that immediate steps were taken to disable the server and as a priority we have made our team members aware.”
British Airways, which has around 34,000 people employed in the UK, also confirmed it was one of the companies to be caught up in the cyber attack. The firm, owned by IAG, said it had notified affected employees and was providing them with support.
“We have notified those colleagues whose personal information has been compromised to provide support and advice,” a spokesman said.
British Airways and Zellis have both reported the incident to the Information Commissioner’s Office (ICO), the firm said.
The BBC said it was working with Zellis "as they urgently investigate the extent of the breach."
Zellis said in its own statement: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.
“Once we became aware of this incident, we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.
“We employ robust security processes across all of our services and they all continue to run as normal.”
The UK's National Cyber Security Centre said it was monitoring the situation and urged organisations using the compromised software to carry out security updates.
Commenting on the news, Ryan McConechy, CTO at Barrier Networks said: “This is yet another example of a supply chain security incident where one exploited vulnerability in a system has impacted thousands of people.
"These situations have become more frequent recently as organisations widen their supply chain and provide their partners with access to their digital networks. From a business standpoint, it is essential to run vulnerability management and red teaming to help spot vulnerabilities quickly and to patch systems as early as possible to patches becoming available. It is also critical to segment the network to help contain attacks and stop them spreading through the supply chain.”
Julia O’Toole, CEO of MyCena Security Solutions added: “It is common for an initial breach to spread up and down the supply-chain of the initial target. Once a criminal is in, they will be looking for doors that can open onto new victims.
"When it comes to protection against these threats, segmenting and encrypting access is essential. By segmenting access, you minimise the amount of data that can be obtained at once and the malware cannot travel not just inside your systems, but also further up and down your supply chain to avoid infecting more companies.”
The NCA added it was "working with partners to support those organisations and understand the full impact on the UK".
Over the past three years, the Covid-19 pandemic and Russia’s invasion of Ukraine have created conditions that have favoured a dramatic increase in cyber crime, effectively turning the cyber space into what Australia’s cyber-security agency has described as “the domain of warfare”.
This rise in cyber crime has affected governments and organisations across the world. The UK’s NHS, Apple in the US, and even the Albanian government have all suffered severe cyber attacks that have disrupted their services and put their users’ personal information at risk.
On June 7th, Cl0p contacted affected companies, threatening to publish stolen data.
The BBC said Cl0p had posted the following message: “This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit.”
The post went on to urge organisations affected by the hack to send an email to the gang to begin a negotiation on the crew’s darknet portal before June 14th, the broadcaster said.
Edited on June 7th to include references to the identity of the hackers and their ransom request.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.