Which companies were affected by the MOVEit Russian payroll hack?

Earlier this week, a yet to be confirmed number of UK companies were affected by a cyber attack on payroll service provider Zellis.

The hack was first made public last week when US-based firm Progress Software claimed hackers had discovered a method of breaking into its MOVEit Transfer tool, a widely used software which enables users to move files safely.

Soon after the later attack was reported, Microsoft blamed the data breach on a Russian cybercriminal gang called Clop.

More than 100,000 employees at companies including the BBC, British Airways and Boots have since been informed that their data may have been stolen.

Many experts think that the fallout from the incident is far from over, and that the impact of the hack could be much wider than at first thought.

Here are the key details and who has been affected so far.

Who are the cybercriminals behind the hack?

Since February 2019, the Russian cybercriminal gang Clop has appeared in headlines multiple times, including server raids by Ukrainain police in 2021.

This raid included arrests of multiple Ukrainian hackers working for the gang.

So far, cybersecurity researchers believe that Clop has successfully attacked at least 230 companies across various industries.

The cybercriminals reportedly host a website on the Dark Web where they routinely upload data dumps from the companies it has breached.

Despite reports in the media and by some researchers that Clop are ransomware attackers, the gang are not using malware to lock computers and blackmail users into paying a Bitcoin ransom, unlike in the 2022 NHS ransomware attack.

Which companies were affected by the hack?

It has already been confirmed that thousands of people working at the BBC, British Airways, Aer Lingus and Boots have had their details stolen, however more companies are likely to be confirmed as more reports emerge.

These are some of the companies that have already been confirmed as being affected by the MOVEit Russian payroll hack:

BBC

A BBC spokesman said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”

The BBC employee data disclosed includes first and last names, dates of birth, National Insurance numbers, and the first line of their addresses.

British Airways

BA said it was “deeply disappointed” that its staff were impacted by the Zellis cyberattack.

The airline has provided affected employees with access to a specialist service that helps detect possible misuse of personal information and provides identity monitoring support.

Aer Lingus

An Aer Lingus spokeswoman said: “Aer Lingus has been notified by a third-party service provider (Zellis – provider of HR and payroll support services) that they have experienced a cybersecurity incident, which has resulted in a disclosure of some of our current and former employee data.

“However, it has been confirmed that no financial or bank details relating to Aer Lingus current or former employees were compromised in this incident. It has also been confirmed that no phone contact details relating to Aer Lingus current or former employees were compromised.”

Aer Lingus has established a dedicated phone line, email address, and additional support from its cyber security and data privacy teams.

Boots

The Standard has contacted Boots for comment.

What could happen next?

The cybercrime gang has threatened major British companies employing more than 100,000 staff to contact them before June 14, otherwise they will publish stolen information.

The BBC said the gang, which is believed by many to be based in Russia, made the threat in broken English on the dark web.

On Wednesday, the BBC said Clop had posted: “This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit.”

The post said organisations impacted by the hack should send an email to start a negotiation on the crew’s darknet portal.