BBC and British Airways affected by data breach at payroll company Zellis
The BBC and British Airways (BA) confirmed on Monday that the personal data of their staff has been exposed to hackers following a cyber incident impacting their payroll provider Zellis.
A spokesperson for the BBC, which employs over 21,000 people, confirmed that the company was “aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach,” but said they don’t believe that employees’ bank account details were compromised.
BA, which employs around 34,000 people in the United Kingdom, said it was “one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.”
Last week it emerged that hackers were exploiting a zero-day vulnerability in the MOVEit file transfer tool. Security researchers had identified more than 2,000 instances of the tool exposed to the public internet, with the majority in the United States.
There were 128 instances of MOVEit Transfer exposed to the internet from the U.K. As a payroll processor, however, Zellis handled data belonging to dozens of other companies, meaning the total number of impacted entities could be significantly higher than those numbers suggest.
The clients listed on the Zellis website include the car manufacturer Jaguar Land Rover, as well as the retail outlet Iceland, the engineering company Dyson, and Aer Lingus. The Record has contacted these companies for comment.
Pharmacy chain Boots, which employs more than 57,000 people in the U.K. and Ireland, has announced being impacted. It is not clear how many of its staff had data compromised.
A spokesperson for Aer Lingus confirmed that Zellis provided the company with HR and payroll support services and that “some of our current and former employee data” has been disclosed. However they added it had been confirmed no financial or bank details were compromised.
The impact on BA was first reported by The Mirror, which quoted a "disgruntled employee" complaining: “I woke up to an email to find out all my details needed to steal my identity have been stolen from my company.”
A spokesperson for BA said: “Zellis provides payroll support services to hundreds of companies in the UK, of which we are one… We have notified those colleagues whose personal information has been compromised to provide support and advice.”
A spokesperson for Zellis said that “a large number of companies around the world” had been affected by the MOVEit vulnerability, and confirmed that “a small number of our customers have been impacted by this global issue,” without giving a specific number.
“All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate. Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,” the spokesperson added.
The company’s spokesperson said the business had notified the data protection authorities in both the U.K.and the Republic of Ireland, as well as both the British and Irish National Cyber Security Centres, about the incident.
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.