Victims of MOVEit vulnerability are coming forward and confirming that they have been impacted by an attack on the former.
Aer Lingus, BBC, Boots, and British Airways have confirmed that they have suffered a data breach directly or indirectly due to the MOVEit vulnerability. The BBC cyber attack has led the broadcasting company to send emails to its staff alerting about the same.
Meanwhile, the Cl0p ransomware group has claimed responsible for the data-theft attacks that were exdcuted by exploiting the MOVEit vulnerability, BleepingComputer reported.
The ransomware group went on a worldwide rampage by exploiting a vulnerability in another popular data transfer service, GoAnywhere.
MOVEit vulnerability, BBC cyber attack, and the British Airways data breach
BBC sent emails to its staff stating that their staff ID numbers, date of birth, residential address, and national insurance numbers has been stolen by hackers.
The Cyber Express reached out to the above-mentioned companies for comments.
“We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit,” replied the British Airways press office representative.
Addressing how Zellis comes into the picture, the British Airways representative further added, “Zellis provides payroll support services to hundreds of companies in the UK, of which we are one. This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool.”
MOVEit vulnerability, cyber attack, and the role of Zellis
In order to alert and provide support to the impacted individuals, British Airways has notified the staff whose personal information has been compromised.
Although the attack leading to British Airways, Boots, Aer Lingus, and the BBC cyber attack originated with exploiting a zero-day vulnerability CVE-2023-34362, it led the Cl0p ransomware group to Zellis, and from there, its client based in the United Kingdom, namely Boots, BBC, and British Airways.
With time, more victims are predicted to come forward confirming data breaches suffered by organizations using MOVEit Transfer or Zellis, which provided payroll services to British Airways.
The representative of British Airways confirmed that BA did not have a contract with MOVEit. However, they were likely impacted because MOVEit is a supplier of Zellis.
“Our data protection team is working closely with IAG’s Group Security Operations Centre (SOC) to ensure the containment of the issue and to mitigate any misuse of information,” the press representative of British Airways told The Cyber Express.
“Zellis and BA have both reported the incident to the Information Commissioner’s Office (ICO).”
Zellis cyber attack and its UK-based clients
“We are aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach,” a BBC spokesman confirmed to the Daily Telegraph.
Zellis attributed the cyber attack it suffered due to the MOVEit Transfer security breach however denied that any of its own software was impacted.
“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate,” said the company statement.
Upon learning about the cyber attack on MOVEIt, Zellis disconnected the server that utilized the MOVEit software, the company said.
MOVEit vulnerability and the Aer Lingus cyber attack
An Aer Lingus spokesperson responded to The Cyber Express’s email by confirming that the Ireland-based international airlines was notified by Zellis about it experiencing a cyber attack.
“This has resulted in a disclosure of some of our current and former employee data,” the spokesperson told The Cyber Express.
“It has been confirmed that no financial or bank details relating to Aer Lingus current or former employees were compromised in this incident. It has also been confirmed that no phone contact details relating to Aer Lingus current or former employees were compromised.”
The spokesperson said that Zellis assured that the incident has been contained and that they have alerted the Data Protection Commissioner and the National Cyber Security Center, as has Aer Lingus.
Dedicated phone lines have also been made available for the staff of Aer Lingus for any help they may require regarding the Aer Lingus data breach.
MOVEit vulnerability attack, a supply chain issue
The Cyber Express, in order to investigate and gain more perspective on a chain of attacks coming from a single vulnerability, spoke with Mark Wojtasiak, Vice President of Strategy at Vectra, who threw light on the gravity of similar exploitations.
“BA, BBC, and Boots are just the latest examples of how difficult it’s becoming for organizations to protect themselves as their software supply chains become more complex. It becomes a vast chain of networks that hackers exploit as they get vulnerable to ransomware or other cyber attacks,” he said.
“With every new vendor added to their IT ecosystem, an organisation’s attack surface grows. This is adding to a growing spiral of more modern, advanced, sophisticated, and – worst of all – unknown attacks.”
Mark further stressed on the need to exercise caution not only while selecting third-party providers but also in improving visibility into their own IT environments so they can identify supply chain security events as they occur.