MOVEit hack: BBC, BA and Boots among cyber attack victims

The BBC, British Airways, Boots and Aer Lingus are among a growing number of organisations affected by a mass hack.

Staff have been warned personal data including national insurance numbers and in some cases bank details may have been stolen.

The cyber criminals broke into a prominent piece of software to gain access to multiple companies in one go.

There are no reports of ransom demands being sought or money stolen.

In the UK, the payroll services provider Zellis is one of the companies affected and it said data from eight of its customers had been stolen.

It would not reveal names but organisations are independently issuing warnings to staff.

In an email to employees, the BBC said data stolen included staff ID numbers, dates of birth, home addresses and national insurance numbers.

Staff at British Airways have been warned that some may have had bank details stolen.

The UK’s National Cyber Security Centre said it was monitoring the situation and urged organisations using MOVEit to carry out security updates.

The hack was first disclosed last week when US company Progress Software said hackers had found a way to break into their MOVEit Transfer tool.

The piece of software is popular around the world with most customers in the US.

The US Cybersecurity and Infrastructure Security Agency issued a warning on Thursday to firms that use MOVEit to download a security patch to stop further breaches.

But security researcher Kevin Beaumont said internet scans revealed thousands of company databases could still be vulnerable as affected firms are yet to install the fix.

“Early indications are there are a large number of prominent organisations impacted,” he said.

Experts said it is likely the cyber criminals will choose to attempt to extort organisations rather than individuals.

No ransom demands have been made public yet but it is expected cyber criminals will begin emailing affected organisations to demand a payment.

They will likely threaten to publish the stolen data online for other hackers to pick through.

Victim organisations are reminding staff to be vigilant of any suspicious emails that could lead to further cyber attacks.

Although no official attribution has been made, Microsoft said it believed the criminals responsible are linked to the notorious Cl0p ransomware group, thought to be based in Russia.

In a blog post the US tech giant said it was attributing attacks to Lace Tempest, known for ransomware operations and running the Cl0p extortion website where victim data is published. The company said the hackers responsible have used similar techniques in the past to steal data and extort victims.

“This latest round of attacks is another reminder of the importance of supply chain security,” said John Shier, from cyber security company Sophos.

“While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well,” he added.