Staff at the BBC have been warned that their personal data may now be in the hands of cybercriminals, following the exploitation of a vulnerability in a software tool used by the company that manages their payroll.
There are lots of moving parts here, so here’s a quick summary.
BBC – The British Broadcasting Company, whose employees’ data may now be exploited by cybercriminals.
IBM – the company that outsourced the work to their contractor, Zellis.
Zellis – the company that was managing the payroll service for the BBC via IBM, and were apparently using a program called MOVEit Transfer.
Progress – the developer of MOVEit Transfer, a file transfer tool which contains a critical vulnerability.
Cl0p – the Russian-speaking ransomware extortion gang which is being linked to the breach.
According to the BBC, Zellis says it has not seen any evidence that bank account details of its employees were exposed by the data breach.
Even if that is true there may still be plenty of opportunities for enterprising criminals to commit fraud, identity theft, or even just plain-old extortion of affected companies who don’t want their employees’ details plastered over the dark web.
Zellis has many other corporate customers including British Airways, Aer Lingus, and UK high street pharmacy Boots, whose thousands of employees also appear to be affected.
It’s important to recognise that blaming the BBC, Boots, British Airways, IBM, or even Zellis for this data breach is a case of shooting the messenger – rather than those where the fault really lies.
Progress, the developers of the buggy MOVEit Transfer software, clearly have some difficult questions to answer and let’s hope that they release a patch for the problem soon.
But ultimately the real villains of this story are the malicious hackers who have exploited the flaw to make their criminal fortunes.
Any organisation using MOVEit Transfer would be wise to read Progress’s security bulletin, and take the advised steps to mitigate the threat.
Unfortunately, if data has already been stolen then the onus is upon your business to inform affected individuals and companies, as well as reporting the incident to regulators.
Further reading: Cl0p gang tells MOVEit hack victims to contact it before June 14, or else…
