News

Which hackers have the stolen employee data from the BBC, British Airways and Boots?

In June 2023, hackers – believed to be part of Russian crime group Clop– exploited a security flaw in the MOVEit file transfer software. The breach affects several global organisations that use this software.  

Zellis provides payroll support services to hundreds of companies in the UK. Zellis used the software and eight of its clients are said to be impacted by the breach, including the BBC, British Airways and Boots.  

Over the last week, Clop has been posting the names of those companies it claims to have accessed, pressurising them into paying a ransom.  So far, around 50 victims have been shared, but none of the ‘big names’ have been posted by Clop. And, according to the BBC, Clop is now claiming that: “We don’t have that data and we told Zellis about it. We just don’t have it. We are an old group and have never deceived anyone, if we say that we do not have information, then we do not have it,” 

Following the statement by Clop, the BBC has put forward several possibilities for what has happened to the stolen data. These are:   

  • Another, unknown hacker gang has the stolen Zellis data
  • Clop is lying
  • Clop has already sold the data to another group of cybercriminals (Clop denies this)

Zellis has yet to respond to Clop’s announcement, stating only that: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.” 

If Clop is telling the truth, then the affected Zellis clients could be at greater risk than was initially thought. The situation is suddenly less certain as nobody knows where the stolen data is.  

At KP Law, our cyber experts have been investigating the MOVEit data breach for a few weeks now. From what we have been able to establish, the software was flawed on many different levels, so it is quite likely that more than one hacker group was able to infiltrate it.  

Who is responsible for your data?

This is a good question, and it is a tricky one to answer. Because while it was MOVEit that was hacked, organisations – including employers – are responsible for the security of their personal data.   

One thing is certain, regardless of which cybergang now has the stolen data from Zellis, affected Boots, BA and BBC employees are at risk. 

If you receive notification that you are affected by this data breach, register below to make a no-win, no-fee compensation claim. 

Deborah Stuttard

Share
Published by
Deborah Stuttard
1 year ago

Recent Posts

Latest Data Breach Round-Up – June 2024

In our regular update, we provide a roundup of some of the data breaches and… Read More

6 months ago

Join our MOVEit/ Zellis Data Breach Action

We have launched a group action against MOVEit/Zellis. Group actions can be a powerful tool… Read More

6 months ago

One year on – the extent of the MOVEit data hack is just becoming clear

The number of organisations affected by the MoveIt Data Breach is still rising, despite the… Read More

6 months ago

Join our 23andMe Data Breach Action

We have launched a group action against 23andMe. Group actions can be a powerful tool… Read More

6 months ago

ICO and Canadian counterpart to investigate 23andMe data breach

The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach… Read More

6 months ago

Join Our Capita Data Breach Action

We have launched a group action against Capita. Group actions can be a powerful tool… Read More

6 months ago