British Airways staff’s personal data exposed in cyber attack on payroll provider
British Airways (BA) has confirmed that its entire UK-based workforce has been affected by a cyberattack that exposed personal data, including bank and contact details. The incident is linked to a zero-day vulnerability in Progress Software’s MOVEit file transfer system, which was exploited by hackers to access information from various global companies using the platform. Thousands of firms are believed to be impacted by the breach.
UK payroll provider Zellis disclosed that eight of its clients were among those affected, without naming the organisations. BA, which employs 34,000 people in the UK, acknowledged its involvement in the cybersecurity incident. Boots, with a staff of 50,000, also confirmed it had been affected. The Telegraph newspaper reported that the BBC was among the organisations caught up in the hacking, which is being linked to a Russia-based group.
The compromised data includes contact details, national insurance numbers, and bank details. BA told Sky News: “We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.”
Zellis provides payroll support services to hundreds of companies in the UK, of which BA is one. “This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”
A Boots spokesperson said: “A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members’ personal details. Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware.”
Zellis issued a statement: “A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product. We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.”
The statement continued, “All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate. Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”