Cyber Incident Victim: British Airways

On or around 31 May 2023, Progress Software, the maker of the MOVEit Transfer tool, first announced that cyber criminals had found a way to break into its software. MOVEit is a prominent piece of software designed to move sensitive files securely and is used by organisations around the world, with a majority of its customers based in the United States. The initial disclosure revealed that the criminals had exploited a previously unknown security flaw, a zero-day vulnerability, within the software. This breach provided the attackers with a method to gain access to the databases of potentially hundreds of companies that utilized the file transfer tool in a single, coordinated attack. The UK's National Crime Agency acknowledged it was aware a number of UK-based organisations had been impacted by this cyber incident as a result of the security flaw.

The attack had immediate and widespread consequences, impacting a supply chain of organisations that relied on third-party providers using MOVEit. In the United Kingdom, the payroll services provider Zellis was identified as one of the companies affected by the breach. Zellis confirmed that a computer server on which its MOVEit software was installed had been compromised. The company stated that a small number of its customers had been impacted by this global issue. It was subsequently revealed that data from eight of Zellis's client firms had been stolen. While Zellis did not publicly reveal the names of these clients, the organisations began independently issuing warnings to their staff.

Among the growing number of organisations confirmed to be affected were the BBC, British Airways, Boots, and Aer Lingus. These large, well-known UK firms were customers of Zellis and were breached through the compromise of the payroll provider's systems. The data stolen was highly sensitive personal information belonging to employees of these organisations. In an email to its employees, the BBC disclosed that the stolen data included staff ID numbers, dates of birth, home addresses, and national insurance numbers. Staff at British Airways were warned that the breach may have resulted in the theft of bank details for some individuals. Boots and Aer Lingus similarly notified their staff that personal data, including national insurance numbers, had been compromised. There were no immediate reports of ransom demands being sought from individuals or of money being directly stolen from accounts.

In response to the discovery of the breach, Zellis took immediate action. The company disconnected the affected computer server hosting the MOVEit software to prevent further unauthorized access. Zellis also brought in an expert external security team to assist in its response to the attack. The company notified the relevant UK data authorities about the incident. Progress Software, the creator of MOVEit, stated it had alerted its customers as soon as the hack was discovered and quickly released a downloadable security update, a patch designed to fix the vulnerability. The US Cybersecurity and Infrastructure Security Agency issued a formal warning to all firms using MOVEit, instructing them to download the security patch to stop further breaches. However, internet scans conducted by security researchers indicated that thousands of company databases remained vulnerable as many affected firms had yet to install the critical fix.

The UK's National Cyber Security Centre stated it was monitoring the situation and urged all organisations using the compromised MOVEit software to carry out the necessary security updates. The National Crime Agency confirmed it was working with partners to support the impacted UK organisations and to understand the full extent of the incident on the country. While no official attribution was immediately provided by authorities, Microsoft published a blog post stating it believed the criminals responsible were linked to the notorious Clop ransomware group, also known as Cl0p and Lace Tempest. Microsoft noted this group is known for its ransomware operations and for running a extortion website where victim data is published. The company stated the hackers had used similar techniques in the past to steal data and extort their victims.

Following the initial breach, the criminal gang Clop began to post profiles of victim companies on its darknet leak site starting around 14 June 2023. The gang used this site to pressure organisations into paying a ransom by threatening to publish the stolen data. The ransom demands were likely to be hundreds of thousands of dollars or more, requested in Bitcoin. Nearly 50 victim organisations from more than a dozen countries, including the US, Germany, Switzerland, the UK, Canada, and Belgium, were listed on the site. These included banks, universities, travel firms, and software companies. Some of the companies listed by Clop separately confirmed they had data stolen.

A puzzling development occurred when, despite the BBC, British Airways, and Boots being confirmed victims of the breach through Zellis, their names did not appear on Clop's leak site. In an email exchange with the BBC, the cyber-criminals of the Clop gang repeatedly claimed they did not possess the data stolen from Zellis and its clients. The hackers stated, "We don't have that data and we told Zellis about it. We just don't have it." They further claimed they had not sold the data to any other hacking groups. This claim raised significant questions within the cybersecurity community, suggesting the possibility that another, unknown hacking gang may have separately stolen the Zellis data before Clop, or that Clop was being deceptive about their possession of it. Security experts noted that the situation became less predictable if the data was held by another group, as it would likely end up on the dark web regardless. The complexity of the incident was further compounded by the subsequent discovery of multiple other security issues within the MOVEit software after the initial disclosure, opening the possibility that data could have been stolen in a different way by a different group.

The impacted organisations, including the BBC, British Airways, and Boots, focused on internal response and staff communication. They issued warnings to their employees, reminding them to be vigilant of any suspicious phishing emails that could lead to further cyber attacks, as the stolen personal data could be used for such purposes. No public ransom demands directed at these specific UK organisations were reported. The broader consequences of the attack were global in scale, with experts stating early indications showed a large number of prominent organisations were impacted. The US government subsequently announced a reward of up to $10 million for information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government. The incident underscored the significant risk posed by vulnerabilities in widely used software products within the supply chain.