Cyber Incident Victim: Zellis

On or around May 31, 2023, a significant cybersecurity incident was disclosed involving the exploitation of a zero-day vulnerability within the MOVEit file transfer tool, a product of Progress Software. The software is designed for secure file transfers and is used by a large number of organizations globally, with a majority of its instances located in the United States. The initial disclosure came from Progress Software itself, which alerted its customers to the existence of the vulnerability and promptly released a downloadable security update. The company stated it was working with law enforcement to combat the cybercriminals responsible for the exploit. Concurrently, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to all firms using MOVEit, instructing them to apply the provided security patch immediately to prevent further breaches.

The cyber incident had a widespread impact due to the nature of MOVEit as a supply-chain product. One of the affected organizations was the UK payroll provider Zellis, which utilized the MOVEit software. The breach at Zellis was not due to a compromise of its own proprietary software but was executed through one of its third-party suppliers, specifically the MOVEit tool. Upon becoming aware of the incident, Zellis took immediate action by disconnecting the server that utilized the MOVEit software. The company also engaged an expert external security incident response team to assist with forensic analysis and ongoing monitoring of the situation. Zellis confirmed that a small number of its customers were impacted by this global issue and stated it was actively working to support them. The company notified the data protection authorities in both the United Kingdom and the Republic of Ireland, as well as the British and Irish National Cyber Security Centres.

The breach at Zellis led to the exposure of personal data belonging to employees of its client companies. Major UK organizations confirmed they were affected, including the BBC, British Airways (BA), Boots, and Aer Lingus. The BBC, which employs over 21,000 people, acknowledged the data breach at its third-party supplier, Zellis. In communications to its staff, the BBC stated that the stolen data included staff ID numbers, dates of birth, home addresses, and national insurance numbers. The corporation stated it did not believe employees' bank account details were compromised. British Airways, employing approximately 34,000 people in the UK, confirmed it was one of the companies impacted by the Zellis cybersecurity incident. BA notified colleagues whose personal information had been compromised to provide support and advice, and some staff were warned that bank details may have been stolen.

Boots, the pharmacy chain with more than 57,000 employees in the UK and Ireland, also announced it was impacted, though the exact number of affected staff was not clear. Aer Lingus confirmed that Zellis provided it with HR and payroll support services and that some current and former employee data had been disclosed. However, Aer Lingus added that it had been confirmed no financial or bank details were compromised. Other companies listed as clients on the Zellis website, such as Jaguar Land Rover, Iceland, and Dyson, were also potentially impacted, though specific confirmations from these entities were not provided in the available reports. The total number of entities impacted was suggested to be significantly higher than the number of exposed MOVEit instances alone would indicate, as Zellis handled data for dozens of companies as a payroll processor.

The attribution for the attack was initially linked by Microsoft to the notorious Clop ransomware group, also known as Lace Tempest, which is known for ransomware operations and running a extortion website where victim data is published. Microsoft stated the hackers responsible had used similar techniques in the past to steal data and extort victims. However, the situation became more complex when the Clop gang itself communicated directly with the BBC, claiming it did not possess the data stolen from the BBC, BA, and Boots. The hackers asserted, "we don't have that data and we told Zellis about it." They further claimed they had never deceived anyone and had not sold the data to other hacking groups. This claim puzzled cybersecurity experts, who suggested multiple possibilities, including that another unknown hacking group may have stolen the data before Clop, or that Clop was being deceptive.

Despite these claims, Clop began posting the profiles of victim companies on its darknet leak site starting around June 14, 2023. The gang listed nearly 50 organizations from more than a dozen countries, including the US, Germany, Switzerland, the UK, Canada, and Belgium. The listed organizations included banks, universities, travel firms, and software companies. Some of these companies separately confirmed they had data stolen. Clop's modus operandi was to threaten to publish the stolen data unless victims paid a ransom, likely amounting to hundreds of thousands of dollars or more in Bitcoin. Notably, the names of the large UK victims like the BBC, BA, and Boots did not appear on Clop's leak site at the time of reporting.

The UK's National Crime Agency (NCA) confirmed it was aware a number of UK-based organizations had been impacted by the cyber incident resulting from the previously unknown security flaw in MOVEit Transfer. The NCA stated it was working with partners to support those organizations and understand the full impact on the UK. The National Cyber Security Centre (NCSC) said it was monitoring the situation and had urged all organizations using the compromised MOVEit software to carry out the necessary security updates. Security researchers had identified over 2,000 instances of the MOVEit tool exposed to the public internet, with 128 of those located in the UK, highlighting the potential scale of the attack.

There were no public reports of ransom demands being made to individuals or of money being stolen from individuals as a direct result of the breach. The primary impact was the theft of personal employee data. The affected organizations advised their staff to be vigilant of any suspicious emails that could lead to further cyber attacks, such as phishing attempts. The incident underscored the significant risk associated with supply-chain vulnerabilities, where a breach in a single, widely used software product can lead to the compromise of data across numerous unrelated organizations. The US government announced a reward of up to $10 million for information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government. Zellis declined to provide further comment on the claims made by the Clop gang, citing an ongoing police investigation.