Cyber Incident Victim: Boots UK

On or around May 31, 2023, Progress Software, the makers of the MOVEit Transfer tool, first disclosed that hackers had found a way to break into its software. MOVEit is a prominent piece of software designed to move sensitive files securely and is popular with organizations around the world, with most of its customers based in the United States. Progress Software stated it alerted its customers as soon as the hack was discovered and quickly released a downloadable security update. A spokesperson for the company said it was working with police to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. The US Cybersecurity and Infrastructure Security Agency issued a warning on the same day to firms that use MOVEit, instructing them to download a security patch to stop further breaches. Security researcher Kevin Beaumont noted that internet scans revealed thousands of company databases could still be vulnerable as many affected firms were yet to install the fix.

The cyber incident involved criminals breaking into the MOVEit software to gain access to the databases of multiple companies in one go. Microsoft stated it believed the criminals responsible were linked to the notorious Cl0p ransomware group, thought to be based in Russia. In a blog post, the US tech giant said it was attributing the attacks to a threat actor known as Lace Tempest, which is known for ransomware operations and for running the Cl0p extortion website where victim data is published. The company said the hackers responsible had used similar techniques in the past to steal data and extort victims. The UK's National Crime Agency confirmed it was aware that a number of UK-based organizations had been impacted by a cyber incident as a result of a previously unknown security flaw relating to MOVEit Transfer. The NCA added it was working with partners to support those organizations and understand the full impact on the UK.

In the United Kingdom, the payroll services provider Zellis was identified as one of the companies affected by the breach. Zellis confirmed that a small number of its customers had been impacted by this global issue and that it was actively working to support them. The company stated that as soon as it became aware of the hack it took immediate action and disconnected the computer server on which the MOVEit software was installed. Zellis also brought in an expert external security team to help it respond to the attack and notified the relevant UK data authorities. The firm said data from eight of its client firms had been stolen, though it would not initially reveal their names. Organizations began independently issuing warnings to their staff.

The BBC, British Airways, Boots UK, and Aer Lingus were among the organizations confirmed to be affected. Staff at these organizations were warned that sensitive personal data had been stolen. In an email to employees, the BBC said the stolen data included staff ID numbers, dates of birth, home addresses, and national insurance numbers. Staff at British Airways were warned that some individuals may have had their bank details stolen. Boots UK and Aer Lingus were also confirmed as victims whose employee data was compromised through the breach at Zellis. There were no initial reports of ransom demands being sought or money stolen from individuals. Victim organizations reminded their staff to be vigilant of any suspicious emails that could lead to further cyber attacks.

The UK's National Cyber Security Centre said it was monitoring the situation and urged all organizations using the compromised MOVEit software to carry out the available security updates. Experts stated it was likely the cyber criminals would attempt to extort money from the organizations rather than individuals. Although no official ransom demands had been made public at the initial stage, it was expected that cyber criminals would begin emailing affected organizations to demand payment, threatening to publish the stolen data online for other hackers to access. John Shier from cyber security company Sophos noted that while Cl0p had been linked to the active exploitation, it was probable that other threat groups were prepared to use this vulnerability as well.

Following the initial disclosure, the Clop gang began posting the names of victim companies on its darknet website, which it refers to as a "leak site," in small batches. The gang added the names, websites, and company addresses of nearly 50 victims from more than a dozen different countries, including the US, Germany, Switzerland, the UK, Canada, and Belgium. The listed organizations included banks, universities, travel firms, and software companies. Some of the companies listed by Clop on their site separately confirmed that they had data stolen. Clop is known for using this tactic to pressure victims into paying a ransom, which is likely to be hundreds of thousands of dollars or more in Bitcoin. However, none of the UK's largest and most well-known victims' names, such as the BBC, BA, and Boots, had been posted to the site by the gang at that time.

In a subsequent development, the Clop gang contacted the BBC via email and claimed they did not possess data belonging to the large UK organizations, specifically the BBC, British Airways, and Boots. The cyber-criminals repeatedly claimed, "We don't have that data and we told Zellis about it. We just don't have it. We are an old group and have never deceived anyone, if we say that we do not have information, then we do not have it." They also claimed they did not sell anything to other hackers. This claim raised the possibility that another unknown hacking gang had the stolen data or that Clop was not being truthful. Zellis would only refer inquiries to its previous statement and could not comment further as a police investigation was ongoing.

Cyber-security experts expressed puzzlement over Clop's claims, which further muddied an already complex situation. Threat researcher Brett Callow from Emsisoft suggested Clop could be covering up the fact it stole the data as part of a sale deal with another hacking group. Other experts noted there were many possibilities. Amir Hadžipasić from SOS Intelligence stated that Clop had no real reason to say they did not have the data. If they were telling the truth, it suggested that other hackers may have stolen the data before Clop, making the situation less predictable as the files could still end up on the dark web via another group. Since the initial MOVEit disclosure, researchers had found many security issues within the software, meaning it was possible the data was stolen in a different way by a different group.

The impact of the incident was significant due to the sensitive nature of the data stolen, which included highly personal information such as national insurance numbers, dates of birth, home addresses, and in some cases banking details. The breach affected a large number of employees across multiple major UK organizations. The incident highlighted the importance of supply chain security, as the compromise of a single software provider, Zellis, led to the exposure of data across its client base. The response involved coordinated efforts from the affected companies, external security teams, and national authorities like the NCSC and NCA. The full extent of the data theft and its ultimate disposition remained unclear as the police investigation continued. On June 16, the United States government announced a $10 million reward for information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government.