British Airways & Boots Staff Personal Data Exposed In Data Breach

In a recent disclosure by British Airways (BA), it was reported that all its UK-based staff have had their personal data exposed in a cyber attack. The information compromised in this security breach includes bank and contact details. This breach occurred following an exploitation of a previously unknown flaw (zero-day vulnerability), in the file transfer system “MOVEit” from Progress Software, which we reported on last week (See the article here).

Last week, it was discovered that cyber criminals had used the vulnerability in MOVEit to access sensitive data. Confirming the incident on Monday June 5th, Zellis, a UK-based payroll provider, stated that eight of its clients had been affected by this cyber attack, but refrained from identifying the organisations. Subsequently, British Airways has confirmed that it was one of the businesses effected by the data breach, which has left the details of more than 34,000 UK staff details exposed.

Other well-known organisations including the Boots have confirmed that they have been effected by the attack and the BBC has also been implicated as potentially being effected in this cyber attack, with speculations linking the incident to a Russia-based group. British Airways issued a statement to Sky News saying, “We have been informed that we are one of the companies impacted by Zellis’ cyber security incident which occurred via one of their third-party suppliers called MOVEit. Zellis provides payroll support services to hundreds of companies in the UK, of which we are one. This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”.

Zellis have also released their own statement following the breach stating, “A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product. We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate. Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”

Whilst the amount of businesses effected may be a “small number” according to Zellis, the impact on those companies and the individuals effected could still be substantial if the 34,000 BA employees is anything to go by. If your business uses Zellis or MOVEit we would advise reaching out to your account manager for further clarification. If you are concerned about your data privacy and if any of your online accounts may have been leaked on the Dark Web, click the link below to find out more about our Dark Web monitoring service and sign up for a free business domain scan. We can also help your business with a complete Cyber Security audit to ensure that you have the best Cyber Security solutions in place to protect your business from attacks and data breaches.

Latest News Stories