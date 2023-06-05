



The BBC, British Airways and Boots have been caught up in cyber incidents that have exposed employee personal data, including bank and contact details, to hackers.

Last week it was revealed that a so-called zero-day vulnerability (flaw) in MOVEit, a file transfer system created by Progress Software, had been exploited by cybercriminals.

Hackers were able to use MOVEit Transfer to gain access to information on various global companies.

Thousands of businesses are known to be affected.

UK-based payroll provider Zellis confirmed on Monday that eight of its customers were among them.

However, BA confirmed that they were caught up in the incident.

The airline employs 34,000 people in the UK.

The BBC and Boots, which have 50,000 employees, said they were also affected.

The Telegraph newspaper reported that the hack was being linked to a Russian-based group.

Cyberattacks involving the Russian state have spiked since the start of the war in Ukraine, with Western governments, institutions and businesses targeting them to turn their backs on Russia.

Information compromised in this case includes contact details, national insurance numbers, and bank details.

BA told Sky News:

“Zellis provides payroll support services to hundreds of companies in the UK and is one of them.

“This incident was caused by a new, previously unknown vulnerability in the popular MOVEit file transfer tool. We reached out to our colleagues with compromised privacy to offer support and advice.”

“A global data vulnerability affecting third-party software used by one of our payroll providers contains the personal information of some of our team members,” said a Boots spokesperson.

“Our provider was confident that they had taken immediate action to disable their servers, and they had notified their team members in the first place.”

“Many companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product,” Zellis said in its own statement.

“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.

“All software owned by Zellis is unaffected and there are no incidents or damages involving other parts of our IT assets.

“As soon as we became aware of this incident, we took immediate action, including disconnecting servers using MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”

