Source: grahamcluley.com – Author: Graham Cluley
Staff at the BBC have been warned that their personal data may now be in the hands of cybercriminals, following the exploitation of a vulnerability in a software tool used by the company that manages their payroll.
There are lots of moving parts here, so here’s a quick summary.
BBC – The British Broadcasting Company, whose employees’ data may now be exploited by cybercriminals.
IBM – the company that outsourced the work to their contractor, Zellis.
Zellis – the company that was managing the payroll service for the BBC via IBM, and were apparently using a program called MOVEit Transfer.
Progress – the developer of MOVEit Transfer, a file transfer tool which contains a critical vulnerability.
Cl0p – the Russian-speaking ransomware extortion gang which is being linked to the breach.
According to the BBC, Zellis says it has not seen any evidence that bank account details of its employees were exposed by the data breach.
Even if that is true there may still be plenty of opportunities for enterprising criminals to commit fraud, identity theft, or even just plain-old extortion of affected companies who don’t want their employees’ details plastered over the dark web.
Zellis has many other corporate customers including British Airways and UK high street pharmacy Boots, whose thousands of employees also appear to be affected.
It’s important to recognise that blaming the BBC, Boots, British Airways, IBM, or even Zellis for this data breach is a case of shooting the messenger – rather than those were the fault really lies.
Progress, the developers of the buggy MOVEit Transfer software, clearly have some difficult questions to answer and let’s hope that they release a patch for the problem soon.
But ultimately the real villains of this story are the malicious hackers who have exploited the flaw to make their criminal fortunes.
Any organisation using MOVEit Transfer would be wise to read Progress’s security bulletin, and take the advised steps to mitigate the threat.
Unfortunately, if data has already been stolen then the onus is upon your business to inform affected individuals and companies, as well as reporting the incident to regulators.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy.
Follow him on Twitter, Mastodon, Bluesky, or drop him an email.
Original Post URL: https://grahamcluley.com/bbc-staffers-warned-of-payroll-data-breach-other-firms-affected-by-moveit-vulnerability/
Category & Tags: Data loss,Ransomware,Vulnerability,BBC,Boots,British Airways,data breach,Malware,payroll,ransomware,vulnerability – Data loss,Ransomware,Vulnerability,BBC,Boots,British Airways,data breach,Malware,payroll,ransomware,vulnerability
