Mass hack hits BBC, British Airways, Boots, and Aer Lingus, exposing staff data

A series of organisations, including the BBC, British Airways, Boots, and Aer Lingus, have been impacted by a large-scale cyber attack. Employees have been alerted that personal information, such as national insurance numbers and, in some cases, bank details, may have been compromised. The hackers infiltrated a widely-used software program, enabling them to access multiple companies simultaneously. No ransom demands or instances of money theft have been reported thus far.

In the UK, Zellis, a payroll services provider, is among the affected companies and has confirmed that data from eight of its client firms has been stolen. Although Zellis has not disclosed the names of these firms, organisations have been independently issuing warnings to their employees. The BBC informed its staff that the stolen data included staff ID numbers, dates of birth, home addresses, and national insurance numbers. British Airways employees have been warned that some may have had their bank details compromised.

The UK’s National Cyber Security Centre is closely monitoring the situation and has advised organisations using the compromised software to carry out security updates. The cyber attack was first revealed last week when US firm Progress Software announced that hackers had breached its MOVEit Transfer tool. This software, designed to securely transfer sensitive files, is widely used globally, with the majority of its customers based in the US.

Upon discovering the hack, Progress Software promptly alerted its customers and released a downloadable security update. A spokesperson stated that the company is collaborating with law enforcement to “combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.”

On Thursday, the US Cybersecurity and Infrastructure Security Agency issued a warning to firms using MOVEit, instructing them to download a security patch to prevent further breaches. However, security researcher Kevin Beaumont has noted that thousands of company databases may still be at risk, as many affected firms have yet to install the fix. “Early indications are there are a large number of prominent organisations impacted,” he said.

It is anticipated that the cyber criminals will seek to extort money from organisations rather than individuals. While no ransom demands have been made public yet, it is expected that cyber criminals will begin emailing affected organisations to demand payment, threatening to publish the stolen data online for other hackers to exploit. Victim organisations are urging staff to remain vigilant of any suspicious emails that could lead to additional cyber attacks.

Although no official attribution has been made, Microsoft believes the criminals responsible are connected to the infamous Cl0p ransomware group, which is thought to be based in Russia. In a blog post, the US tech giant stated that it was attributing the attacks to Lace Tempest, known for ransomware operations and running the Cl0p extortion website where victim data is published. The company added that the hackers responsible have employed similar techniques in the past to steal data and extort victims.

John Shier from cybersecurity firm Sophos emphasised the importance of supply chain security, stating, “While Cl0p has been linked to this active exploitation, it is probable that other threat groups are prepared to use this vulnerability as well.” The National Crime Agency informed the BBC that it was aware that a number of UK-based organisations had been “impacted by a cyber incident” due to a previously unknown security flaw related to MOVEit Transfer. The NCA is currently working with partners to support affected organisations and assess the full impact on the UK.