Global Courant
LONDON — Britain’s cybersecurity agency on Wednesday urged companies to be vigilant after the BBC, British Airways and other companies said their employees’ personal data may have been compromised by a software hack.
The companies were the first major victims after hackers successfully broke through a popular file transfer software called MOVEit. The Clop ransomware group, believed to be based in Russia, has threatened on its dark web site that stolen data, including personal details such as names and home addresses, could be published.
“We are working to fully understand the UK’s impact following reports of a critical vulnerability affecting MOVEit Transfer software that is being exploited,” the UK’s National Cyber Security Center said in a statement.
“The NCSC strongly encourages organizations to take immediate action by following vendor best practice advice and applying recommended security updates,” it added.
MOVEit is a program that is widely used by companies to share files securely online. Zellis, a leading provider of payroll services in the UK who works with British Airways, the BBC and hundreds of others, was one of the users. Zellis said Monday that a “small number” of its customers have been affected by the breach.
It is believed that hackers broke into the software, gaining access to the databases of potentially hundreds of other companies.
“This incident occurred due to a new and previously unknown vulnerability in a widely used MOVEit file transfer tool,” British Airways said in a statement. “We have notified colleagues whose personal information has been compromised to provide support and advice.”
The BBC, which employs about 22,000 people worldwide, said it was working with Zellis to determine the extent of the breach.
The broadcaster said in an email sent to all UK employees and freelancers on Monday that details including dates of birth, social security numbers and home addresses have been released. But it said the bank account details had apparently not been compromised and there was “no evidence that the data was misused”.
The drugstore chain Boots, which employs more than 50,000 people, has also informed staff about the hack.
BA and Zellis said they had reported the incident to the UK’s Information Commissioner’s Office.
