Cloud Hosting

By James Sillars, Business reporter @SkyNewsBiz

Monday 5 June 2023 22:01, UK

The BBC, British Airways , Boots and Aer Lingus have been caught up in a cyber incident that has exposed employee personal data, including bank and contact details, to hackers.

A ransomware group named Clop has claimed responsibility for the breaches centred around the MOVEit file transfer software.

In an email to Reuters on Monday, the hackers said "it was our attack" and that victims who refused to pay a ransom would be named and shamed on the group's website.

Work by Microsoft had earlier suggested that the Russian-speaking ransomware gang was behind the attack.

It emerged last week that a so-called zero-day vulnerability - a flaw - in the file transfer system MOVEit, produced by Progress Software, had been exploited by cyber criminals.

It had allowed the hackers to access information on a range of global companies using MOVEit Transfer.

Thousands of firms are understood to be affected.

UK-based payroll provider Zellis confirmed on Monday that eight of its clients were among them.

It did not name the organisations.

BA, however, confirmed it had been caught up in the affair.

The airline employs 34,000 people in the UK.

The BBC and Boots, which has 50,000 staff, said they had been affected too.

The broadcaster did not believe its employees' bank details had been exposed though company ID and national insurance numbers were compromised.

Current and former staff at Aer Lingus have also been affected, the airline said, but no financial or bank details nor phone numbers were compromised in the incident.

Analysis: Origins 'appear to have Russian links'

Experts said corporate victims could expect the group responsible to make contact with a list of demands within weeks.

In this instance, the compromised information included contact details, national insurance numbers and bank details.

BA told Sky News: "We have been informed that we are one of the companies impacted by Zellis's cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.

"Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.

"This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice."

A Boots spokesperson said: "A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members' personal details.

"Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware."

Read more from business:New business group launched to rival CBI Six Nations backer CVC plots 4bn takeover of Center Parcs

Zellis said in its own statement: "A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software's MOVEit Transfer product.

"We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.

This is a limited version of the story so unfortunately this content is not available. Open the full version

"All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.

"Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring."

Charles Carmakal, chief technology officer at Google cyber security specialist Mandiant Consulting, said: "At this stage it is critical for victim organisations to prepare for potential extortion, publication of stolen data, and victim shaming.

"It is likely that the threat actor will soon begin to make contact with extortion demands and begin to work through their list of victims.

"Mandiant's investigations into prior campaigns from the suspected threat actor show that extortion demands are usually in the 7- or 8-figure range, including a few demands for more than $35m.

"Any organisation that had the MOVEit web interface exposed to the internet should perform a forensic analysis of the system, irrespective of when the software was patched," he warned.

Click to subscribe to The Ian King Business Podcast

"Watch out for scammers too. Some of our clients impacted by the MOVEit exploitation received extortion emails over the weekend.

"The extortion emails were unrelated to the MOVEit exploitation and were just scams, but organisations could easily confuse them as being authentic."

A MOVEit spokesperson said: "Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps."

"We disabled web access to MOVEit Cloud to protect our cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit."

"We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability."

"We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products."

See the rest here:
BA, BBC and Boots hit by cyber security breach with contact and bank details exposed - Sky News