Media watchdog Ofcom has confirmed that it has fallen victim to a cyber-attack. The attack is believed to be conducted by hackers associated with a notorious Russian ransomware group.
During the mass hack, confidential data concerning companies regulated by Ofcom and personal information of 412 employees were downloaded.
The breach has affected various firms, including British Airways, the BBC, and Boots. Ofcom has promptly alerted all the companies it regulates and reported the incident to the Information Commissioners Office (ICO). While no payroll data was compromised, significant concerns regarding the security breach remain.
The MOVEit Software Breach
The mass hack exploited a software vulnerability in MOVEit, a secure file transfer tool widely utilised by companies globally. MOVEit is designed to facilitate the secure transfer of sensitive files such as employee addresses and bank account details.
Ofcom has taken immediate action by suspending the use of MOVEit and implementing recommended security measures. Moreover, the media watchdog has provided support and assistance to the affected Ofcom-regulated companies. Fortunately, Ofcom’s own internal systems remained uncompromised during the attack.
Companies Respond to the Cyber-Attack
Among the companies affected by the breach, the British Broadcasting Corporation (BBC), British Airways (BA), and Boots have reported their involvement. Accountancy firm Ernst & Young (EY) has also confirmed being a victim of the attack. In response to the incident, EY has launched an investigation into their use of the compromised tool and has taken immediate steps to safeguard any potentially accessed data. While most of their systems remain unaffected, EY continues to thoroughly investigate systems that may have been compromised.
Understanding the Supply-Chain Attack
The recent cyber-attack is categorised as a “supply-chain attack.” Progress Software, a US company, initially disclosed the breach, revealing that hackers had found a vulnerability in their MOVEit Transfer tool. Exploiting this security flaw, the hackers gained unauthorised access to several companies.
Notably, even organisations not directly utilising MOVEit have been impacted due to third-party arrangements. For instance, the BBC had employee data stolen because Zellis, its payroll processing company, fell victim to the attack. It is estimated that eight companies using Zellis, including British Airways, Aer Lingus, and Boots, are affected. Other UK-based organisations using MOVEit are also believed to be impacted.
More from Cybersecurity
The Culprits and Ransom Demands
The cybercriminals behind this attack are linked to the infamous Clop ransomware group, suspected to be based in Russia. The group has threatened to publish data from companies that fail to initiate negotiations via email by a specified deadline.
BBC cyber correspondent Joe Tidy highlights the group’s track record of following through on such threats, making it likely that private data from affected organisations will be published on the group’s darknet website in the coming weeks.
It is important to note that some victims may have quietly paid a ransom, potentially worth hundreds of thousands or even millions of dollars in Bitcoin, to avoid public exposure on Clop’s website. However, paying the ransom only fuels the growth of criminal enterprises, and there is no guarantee that hackers won’t exploit the data for further attacks.
The cyber-attack on Ofcom and the subsequent breach of confidential data and personal information highlights the growing threat posed by ransomware groups. The impact of this supply-chain attack extends beyond companies directly using the compromised software, affecting third-party organisations as well.
To mitigate risks and protect sensitive information, affected companies must promptly respond by enhancing security measures, investigating potential compromises, and notifying relevant authorities. Additionally, organisations are strongly advised against paying ransoms, as doing so not only perpetuates criminal activities but also offers no guarantee of data protection.
As cyber threats continue to evolve, robust cybersecurity measures and vigilant monitoring remain crucial for safeguarding sensitive data.