British Airways, the pharmacy chain Boots and the BBC are among the known victims of an ongoing hacking campaign that cybersecurity experts warned could ensnare thousands of victims in the coming weeks.
The companies told thousands of staff that personal information may have been compromised by a cyberattack on their payroll provider, Zellis.
The government of Nova Scotia was also breached by what appears to be a related hack that resulted in the theft of personal information, according to CBC News. A representative for the Nova Scotia government wasn’t immediately available for comment.
The hacks exploited the same vulnerability in the secure file transfer product, MOVEit, developed by Progress Software Corp., according to statements from several of the affected entities. MOVEit is used by thousands of companies, including payroll providers, health-care firms, and information technology providers. The vulnerability allowed hackers to steal files that companies had uploaded to MOVEit, according to Progress.
Progress released a patch for the software last week.
“When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps,” MOVEit spokesperson John Eddy said in a statement.
A representative for Zellis didn’t respond to a request for comment but told the Financial Times that the issue was software from MOVEit, not Zellis. A representative for the Nova Scotia government also attributed the breach to MOVEit, according to CBC News.
Potentially thousands of companies could be vulnerable to hackers, according to Allan Liska, senior intelligence analyst at Recorded Future Inc. Publicly available data sources show there are thousands of vulnerable MOVEit servers that could have been affected by the software flaw that made such hacks possible, Liska said. The criminal hackers are expected to begin contacting companies and demanding payment in cryptocurrency in exchange for not uploading the company’s stolen data online, he said.
The flaw was the subject of numerous security alerts in recent days, including warnings from the US Department of Homeland Security, the UK National Cyber Security Centre, Microsoft Corp. and Mandiant, a subsidiary of Alphabet Inc.’s Google Cloud. Microsoft said a criminal hacker group that engages in ransomware and extortion is responsible for the MOVEit hack. The same hackers who breached MOVEit were also responsible for previous hacks of two other secure file transfer products developed by Accellion Inc. and Fortra Inc., Liska said.
“We’re expecting the extortion communications to start anytime within the next four weeks or so,” said Charles Carmakal, chief technology officer at Mandiant. “There is a lot of data that the threat actor has to sort through. When the extortion starts, it will probably carry on for a few months.”
Carmakal said the earliest observed exploitation of MOVEit occurred on May 27.
At British Airways, the hack led to the disclosure of employees’ personal information, including names, surnames, dates of birth as well as potentially banking details, according to a spokesperson for the carrier, which employs around 35,000 people.
Boots, with more than 50,000 workers, said employees’ personal details were affected. The server was disabled and staff have been made aware, said a spokesperson for Boots, which is owned by Walgreens Boots Alliance Inc.
The BBC confirmed it had been affected by the attack on Zellis. A spokesperson said it was urgently trying to establish the extent of the data breach.
A representative for the Nova Scotia government wouldn’t say what kind of information was stolen or how many people are affected, according to CBC News.
“This is a typical case of a supply chain attack targeting multiple companies at once that hold extremely sensitive data on employees,” said Jake Moore, a UK-based cybersecurity expert and global adviser to the cybersecurity firm ESET. “The security patch on offer is absolutely vital and should have now been installed by all affected companies to remain protected.”
