The British Broadcasting Corporation (BBC) and British Airways (BA) have fallen victim to a recent cyber incident, confirmed on Monday. The two companies reported that their employees’ data had been compromised owing to a cyberattack at their third-party payroll provider, Zellis.
With the breach’s magnitude yet fully uncovered, the organisations are collaborating closely with Zellis to evaluate the damage’s scope caused. Although reassuringly, both companies have stated that the bank account information of their employees remains unaffected.
The third-party cyberattack incidents on the two companies may be linked to the recent abuse of a critical flaw in the MOVEit file transfer tool.
British Airways (BA), an airline company with approximately 34,000 staff members in the UK, has confirmed its involvement in the recent cybersecurity incident at Zellis, a payroll provider, through its third-party supplier, MOVEit.
The breach came to light last week when hackers exploited a zero-day flaw in the MOVEit file transfer tool, leading to concerns about the tool’s security. Security researchers discovered over 2,000 instances of MOVEit exposed on the public internet, primarily in the US, while the United Kingdom accounted for 128 instances.
However, considering Zellis’s role as a payroll processor for numerous other companies, the true scope of the breach and the number of affected entities could potentially surpass the reported figures.
As a prominent payroll support service provider for hundreds of businesses in the UK, Zellis plays a critical role in managing sensitive employee data. A spokesperson for BA emphasised that they have promptly taken action by notifying affected colleagues whose personal information has been compromised, offering them support and guidance.
Following the recent MOVEit vulnerability, Zellis has acknowledged that this cybersecurity issue has affected many companies worldwide. While the spokesperson refrained from disclosing a specific figure, they confirmed that this global incident impacted a limited number of Zellis customers.
Zellis asserted that their internally developed software remains unaffected, with no reported incidents or compromises elsewhere within their IT infrastructure. The company disconnected the server utilising the MOVEit software and engaged external security incident response experts for forensic analysis and ongoing monitoring.
To ensure transparency, Zellis promptly informed data protection authorities in the UK and Ireland regarding the incident. This proactive approach emphasises the company’s commitment to addressing the situation and protecting the interests of its customers and stakeholders.
