Tens of thousands of employees at some of Britain’s biggest companies have had their personal data compromised by a Russian-speaking criminal gang in a widespread hack expected to spread to the US and ensnare more victims.
British Airways, Boots and the BBC were among the groups to warn employees on Monday they had been affected by the breach that hit software used by Zellis, the UK payroll provider which serves nearly half of FTSE 100 companies.
The BBC, the national broadcaster with around 20,000 workers, and Boots, the pharmacy retailer that employs more than 50,000, alerted staff to the potential breach which affected their names, dates of birth and National Insurance numbers. British Airways, which in 2020 was fined £20mn for leaking customer data, said it would “provide support and advice” to relevant staff.
The hack exploited an unknown weakness in a supposedly secure piece of file-transfer software, highlighting the growing vulnerability of many companies to sophisticated cyber attacks targeting flaws along their software supply chain.
Security researchers said the hackers are expected to use the data to launch so-called “hack and leak” attacks, threatening to release sensitive information unless companies pay substantial sums.
At least a fifth of British firms have had their data stolen by an external attacker in the past year, security firm Sophos said. UK firms can be fined up to four per cent of their annual revenue for mishandling data.
Prior demands from the suspected Russian gang, dubbed Clop by cyber security experts, have regularly been above $1mn and as high as $35mn. A person close to Zellis said no group had claimed responsibility and the motive behind the breach is unclear.
The targeted software, MOVEit, made by Massachusetts-based tech group Progress, was used by Zellis in some of its systems. Eight customers at the UK payroll group were affected, a person familiar with the incident said.
But the software is more popular in the US, where regulatory disclosure is slower, making it likely that the list of victims will grow over the week, said researchers at Secureworks, a cyber security group. Other researchers said companies in Canada and India are also expected to be affected.
“If Zellis or the others don’t agree to pay, then those details are likely to end up for sale, and they will be monetised in some shape or form,” said Martin Riley, director of Managed Security Services at Reading-based Bridewell, who has watched the attack unfold over the weekend.
The Clop hacking group is known to hunt for vulnerabilities in secure file-transfer software, since companies are often required by law to handle some of their most valuable data with such providers.
That makes the hacks far more lucrative, as when the same group attacked similar software called Accellion in 2021 and GoAnywhere earlier this year, said Rafe Pilling, senior security researcher at Secureworks. That makes it all but certain the hackers are financially, not politically motivated, he said.
“The group is Russian speaking, but this is not the Russian state, this is not Russia directed and predates the Ukrainian invasion,” he said. “This is not Russia attacking the west.”
As companies have started relying on backups to prevent being locked out of their data in ransomware incidents, gangs have moved on to hack and leak attacks in recent months.
“We are already identifying active intrusions at several clients and expect many more in this short term,” said John Hultquist, chief analyst at Mandiant Intelligence. “Everyone needs to move fast to patch . . . and in cases where they suspect exploitation, prepare for possible public release of their data.”
Such vulnerabilities are often shared within criminal gangs, mostly based in Russia, meaning they could have been exploited by various groups of hackers in recent weeks.
MOVEit’s manufacturer informed customers on May 31 that its software had an unknown weakness allowing hackers to steal large amounts of data. The company declined to answer questions on how many of its customers globally were affected, nor whether it had identified the perpetrator.
“We have engaged with federal law enforcement and other agencies . . . with industry-leading cyber security experts,” said Progress.
Progress said the breaches had been observed in May, and suggested tweaks to the settings on their software to cut off data leaks while awaiting a more effective update. It said it had issued a software update that would allow companies to fix the flaw in their systems.
UK companies being affected by the hack was first reported by the Daily Telegraph.
“All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate,” said Zellis, adding it had informed the UK Information Commissioner’s Office, the director of public prosecutions and the National Cyber Security Centre, as well as their equivalents in Ireland.
