British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack

Microsoft blames Russian Clop ransomware crew for theft of staff info

British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app.

Microsoft reckons the Russian Clop ransomware crew stole the information.

British Airways, the BBC, and Boots were not hit directly. Instead, payroll services provider Zellis on Monday admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" – including the aforementioned British trio – had their information stolen.

Zellis claims to be the largest payroll and human resources provider in the UK, and its customers include Sky, Harrods, Jaguar, Land Rover, Dyson, and Credit Suisse. In a statement posted on its website, Zellis blamed the MOVEit vulnerability for the security breach, and noted "all Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate."

The company did not answer The Register's specific questions, including how many and which customers were affected, and what data was accessed. The biz's spinners instead repeated the statement posted on the website.

The security hole came to light last Thursday. And almost immediately security researchers began warning that criminals had been "mass exploiting" the SQL-injection vulnerability in MOVEit for at least a month to break into IT environments and steal data.

The bug has since been assigned a CVE and is now tracked as CVE-2023-34362. The app's developer Progress patched the flaw on Friday. A spokesperson declined to answer The Register's specific questions, but provided this statement via email:

Progress takes the security of our customers very seriously. We cannot disclose information on our MOVEit Transfer and MOVEit Cloud customers. However, we can confirm that we took immediate measures to protect customer environments — first, providing instructions for immediate mitigation, followed by the release of a patch to all MOVEit Transfer customers, within 48 hours of identifying the vulnerability.

On Sunday, Microsoft attributed the thefts to a ransomware gang it tracks as Lace Tempest, which runs the Clop extortion site. "The threat actor has used similar vulnerabilities in the past to steal data & extort victims," Redmond said in the first of a series of tweets.

British Airways, which has about 35,000 employees, confirmed that it was one of the victims in what is now looking like yet another major supply chain attack.

"We have been informed that we are one of the companies impacted by Zellis' cybersecurity incident which occurred via one of their third-party suppliers called MOVEit," a British Airways spokesperson told The Register. "We have notified those colleagues whose personal information has been compromised to provide support and advice."

Both British Airways and Zellis said they had reported the intrusion to the UK Information Commissioner's Office (ICO), and Zellis notified the privacy watchdog's counterpart in Ireland as well as British cyber-police.

Another Zellis customer, the BBC, reported on the theft of its staff's personal information and that fellow Zellis payroll users Boots and Aer Lingus are among those affected by the hack.

The BBC said data stolen included staff ID numbers, dates of birth, home addresses, and national insurance numbers. The latter information is particularly valuable to identity thieves.

Boots did not immediately respond to The Register's inquiries. The British company merged with US retail pharmacy giant Walgreens in 2006, forming the Walgreen Boots Alliance, and it's unclear if any Walgreens' worker information was stolen in this case. ®

Send us news

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen

Real-life impact of buggy software laid bare – plus: Avast tries to profit from being caught up in attacks

Okta data breach dilemma dwarfs earlier estimates

All customer support users told their info was accessed after analysis oversight

US nuke reactor lab hit by 'gay furry hackers' demanding cat-human mutants

Staff records swiped, leaked by gang who probably read one too many comics, sorry, graphic novels

Mirai malware infects routers and cameras for new botnet

Akamai sounds the alarm – won't name the manufacturers yet

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

Admin of $19M marketplace that sold social security numbers gets 8 years in jail

24 million Americans thought to have had their personal data stolen and sold for pennies

Ukraine cyber spies claim Putin's planes are in peril as sanctions bite

Aeroflot fleet still has a smoking section, but not for tobacco

Rogue ex-Motorola techie admits cyberattack on former employer, passport fraud

Pro tip: Don't use your new work email to phish your old firm

British Library begins contacting customers as Rhysida leaks data dump

CRM databases were accessed and library users are advised to change passwords

'Serial cybercriminal and scammer' jailed for 8 years, told to pay back $1.2M

Crook did everything from SIM swaps to fake verified badge scams

Clorox CISO flushes self after multimillion-dollar cyberattack

Plus: Ransomware crooks file SEC complaint against victim