Thousands of BA, BBC and Boots staff hit by data hack
All three organisations utilise the payroll provider Zellis. Zellis uses MOVEit file transfer software, the makers of which ‒ Progress Software ‒ revealed last week that it has discovered a flaw which could allow hackers to intercept data when it was being moved through the program.
The software firm said that this issue had now been fixed, and it was working to “ensure we take all appropriate response measures”.
However, the data has now potentially been accessed by hackers associated with the ClOp ransomware group. Microsoft has suggested that the group has exploited similar software vulnerabilities in the past.
Zellis confirmed that some of its corporate customers ‒ including British Airways, the BBC and Boots ‒ had been impacted by the data hack.
A spokesperson for British Airways said: “We have notified those colleagues whose personal information has been compromised to provide support and advice.” However, there was no confirmation of how many had been affected.
The BBC also declined to confirm the number of affected staff, stating that it was working with Zellis “as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”
It is not just large organisations in the UK which have been impacted by this data hack. The government of Nova Scotia, the Canadian province, have confirmed that they too have been affected.
The Government uses the MOVEit software to share files across departments, and so hackers may have been able to obtain the personal details of residents in the province.
It said that it has taken its systems offline and is now working to establish whose details may have been accessed.
What to do if you’ve been impacted by the data breach
There are certain steps that should be followed if you believe your details may have been accessed through a data breach, according to the National Cyber Security Centre (NCSC).
First, contact the organisation that has been hacked to find out if your details have likely been included. It’s important to do this through official channels, and not by using numbers or links in emails, since they could have come from scammers.
Next, be on your guard for suspicious messages. The NCSC says to be particularly cautious around messages referring to resetting passwords, compensation, or which are full of confusing ‘tech speak.
You should check your online accounts, and keep an eye on them, in case of any suspicious activity. If there are unexplained payments then be sure to report them immediately.
Similarly, you should also report any suspicious messages you receive.