Payroll services provider Zellis has confirmed that personal data from eight of its client firms has been compromised due to the MOVEit cyber breach. Among the affected clients are major organizations such as British Airways, the BBC, and Boots, which have reported compromised personal data and bank details following the exploitation of a zero-day vulnerability in the MOVEit file transfer system developed by Progress Software.
The BBC has alerted its employees regarding the theft of sensitive information, including staff ID numbers, home addresses, national insurance numbers, and dates of birth. Other firms have also reported compromised bank details as a result of the breach.
The attack was first reported last week, and organizations are still assessing the extent of the damage while informing staff about potential data loss. Thousands of companies are believed to have been affected.
A spokesperson from the National Cyber Security Centre stated, “We are working to fully understand the UK impact following reports of a critical vulnerability affecting MOVEit Transfer software being exploited. The NCSC strongly encourages organizations to take immediate action by following vendor best practice advice and applying the recommended security updates.”
Achi Lewis, Area VP EMEA for Absolute Software, remarked, “Preventing cyber-attacks is always the preference, but supply chains add additional risk to an organization’s cyber protections, providing threat actors with an extra way in beyond internal defenses. Supply chain attacks can be a lucrative method for cybercriminals due to the cascading impact a breach can have on multiple targets, representing a significant risk that organizations must factor into their detection and prevention strategies.”