British Airways, BBC and Boots Staff Hit By Russia-Linked Cyber-Hack

It has been reported that tens of thousands of British Airways, BBC and Boots staff may have had their personal details stolen following a suspected Russia-linked cyber attack. BA has written to many of its 34,000-strong workforce warning them of a “cyber security incident which has led to the disclosure of personal information about colleagues paid through British Airways’ payroll in the UK and Ireland”.

An email to BA staff – seen by the Telegraph – warns that the compromised information includes names, addresses, national insurance numbers, banking details and other information. The hack is linked to BA’s payroll provider, Zellis, and other companies that work with the company have also had their information stolen.

Boots has emailed employees saying that staff’s names, surnames, employee numbers, dates of birth, email addresses, the first lines of their home address and national insurance numbers have been affected. It said a “very small number” of employees may have had other data compromised.

A BBC spokesman confirmed they were also affected by the hack. The spokesman said: “We are aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach.


Expert comments

Israel Barak, chief information security officer at Cybereason:

If this was in fact a ransomware attack on payroll management provider Zellis’ third party suppliers, MOVEit, transparency is important for everyone that has been impacted, most importantly the tens of thousands of British Airways, BBC and Boots employees that have had their personal data stolen. In the days ahead, we need to shift focus from dealing with the aftereffects of the attack, to educating organisations on deploying tools that disrupt the earliest stages of attacks through behavioural detections – this is the operation centric approach to cybersecurity.

“Stopping the attackers in their tracks before they can gain access to an organisation’s data is extremely important. The good news is that tools exist today to stop material breaches. We can’t just focus on the attack itself – by then it is too late. Look at the earlier stages of the attack when criminals are inserting malicious code into the supply chain for instance.”
Javvad Malik, lead security awareness advocate at KnowBe4:

“The recent news, involving the theft of sensitive data from BA and Boots highlights the importance of tightening up cybersecurity controls and the challenges of securing the supply chain. It’s also a reminder of how the exploitation of zero-day vulnerabilities represents one of the most significant threats to any IT team.

“In this particular case, the issue appears to be an SQL injection vulnerability within the MOVEit software, which enables unauthorised remote attackers to exploit the system and subsequently, gain access to sensitive information via the database. Unfortunately, the exploitation of such a vulnerability can lead to the theft of valuable data, and in this case, BA’s UK employees’ data has been exposed.

“It’s unfortunate to see so many people affected by this cyberattack. This news demonstrates that the challenges of keeping systems secure go beyond mere firewalls and antivirus software. Securing the supply chain depends on implementing robust cybersecurity measures, such as constant monitoring, insider threat detection, and ongoing education and awareness among users and all staff members. The theft of data from BA and Boots illustrates how organisations depend on software solutions like MOVEit, which underpin their infrastructure and provide an attractive target to cybercriminals, even when they’re not household names.

“In the end, proactive cybersecurity measures can help guard against cyberattacks, but organizations must also prepare for scenarios where a system vulnerability is exploited and no patch is available yet, such as is the case with zero-day vulnerabilities. This breach serves as a dire reminder that organisations need to remain vigilant and work constantly to identify and mitigate these risks to protect their data and their stakeholders.”
Erfan Shadabi, cybersecurity expert at comforte AG:

“The recent cybersecurity incident involving Zellis and their third-party supplier, MOVEit, underscores the critical security risks that organizations face through their supply chain. Third-party supply chain relationships have become a prime target for malicious actors seeking to exploit vulnerabilities in interconnected systems. This incident serves as a reminder that the security of an organization’s data is only as strong as its weakest link. By relying on external suppliers, organizations expose themselves to potential breaches and data compromises if proper security measures are not in place.

“To mitigate these risks, organizations must prioritize securing the data itself. While traditional perimeter-based security measures are important, they may not be sufficient in preventing advanced threats originating from third-party suppliers. Organizations, instead, should adopt a data-centric security approach. Also, when selecting business partners, organizations should conduct thorough due diligence to ensure that potential partners have appropriate data security measures in place. Evaluating the partner’s security practices, certifications, and adherence to industry standards can provide crucial insights into their commitment to data protection.”
Brad Freeman, Director of technology at SenseOn

“This kind of incident is nothing new unfortunately. MOVEit, the enterprise software involved which is used to transfer sensitive files, should never have been exposed to the Internet in the first place. But, mistakes happen, and attackers can also gain access to these kinds of systems if they are already present on a victims network.The SQL injection vulnerability in MOVEit could allow an attacker to remotely gain access to highly sensitive data or further their access, and as we can see it is being actively exploited by threat groups.” 
Jamie Akhtar, CEO and co-founder, CyberSmart:

“This incident is the perfect illustration of how a single vulnerability in a supply chain can cause widespread damage. The zero-day vulnerability hackers discovered MOVEit’s software has exposed thousands of companies to attack

It’s a stark reminder (if businesses needed one) of the risks posed by third-party suppliers and the supply chain. And, that even having your own cybersecurity in order is no guarantee of complete protection from breaches. 

With this in mind, we urge all businesses to map their supply-chain dependencies. The goal is to have an understanding of your network of suppliers so that cyber risks can be managed and responded to effectively. If you’re unsure of where to start, the NCSC’s guidance is a great jumping-off point.” 
A MOVEit spokesperson commented on the incident:

“Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.

“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.”