British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack
Microsoft blames Russian Clop ransomware crew for theft of staff info
British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app.
Microsoft reckons the Russian Clop ransomware crew stole the information.
British Airways, the BBC, and Boots were not hit directly. Instead, payroll services provider Zellis on Monday admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" – including the aforementioned British trio – had their information stolen.
Zellis claims to be the largest payroll and human resources provider in the UK, and its customers include Sky, Harrods, Jaguar, Land Rover, Dyson, and Credit Suisse. In a statement posted on its website, Zellis blamed the MOVEit vulnerability for the security breach, and noted "all Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate."
The company did not answer The Register's specific questions, including how many and which customers were affected, and what data was accessed. The biz's spinners instead repeated the statement posted on the website.
The security hole came to light last Thursday. And almost immediately security researchers began warning that criminals had been "mass exploiting" the SQL-injection vulnerability in MOVEit for at least a month to break into IT environments and steal data.
The bug has since been assigned a CVE and is now tracked as CVE-2023-34362. The app's developer Progress patched the flaw on Friday. A spokesperson declined to answer The Register's specific questions, but provided this statement via email:
Progress takes the security of our customers very seriously. We cannot disclose information on our MOVEit Transfer and MOVEit Cloud customers. However, we can confirm that we took immediate measures to protect customer environments — first, providing instructions for immediate mitigation, followed by the release of a patch to all MOVEit Transfer customers, within 48 hours of identifying the vulnerability.
On Sunday, Microsoft attributed the thefts to a ransomware gang it tracks as Lace Tempest, which runs the Clop extortion site. "The threat actor has used similar vulnerabilities in the past to steal data & extort victims," Redmond said in the first of a series of tweets.
British Airways, which has about 35,000 employees, confirmed that it was one of the victims in what is now looking like yet another major supply chain attack.
"We have been informed that we are one of the companies impacted by Zellis' cybersecurity incident which occurred via one of their third-party suppliers called MOVEit," a British Airways spokesperson told The Register. "We have notified those colleagues whose personal information has been compromised to provide support and advice."
- Deployed publicly accessible MOVEit Transfer? Oh no. Mass exploitation underway
- Ransomware attack on UK water company clouded by confusion
- An earlier supply chain attack led to the 3CX supply chain attack, Mandiant says
- Toyota admits to yet another cloud leak
Both British Airways and Zellis said they had reported the intrusion to the UK Information Commissioner's Office (ICO), and Zellis notified the privacy watchdog's counterpart in Ireland as well as British cyber-police.
Another Zellis customer, the BBC, reported on the theft of its staff's personal information and that fellow Zellis payroll users Boots and Aer Lingus are among those affected by the hack.
The BBC said data stolen included staff ID numbers, dates of birth, home addresses, and national insurance numbers. The latter information is particularly valuable to identity thieves.
Boots did not immediately respond to The Register's inquiries. The British company merged with US retail pharmacy giant Walgreens in 2006, forming the Walgreen Boots Alliance, and it's unclear if any Walgreens' worker information was stolen in this case. ®