Cyber Incident Victim: British Broadcasting Corporation

On or around May 31, 2023, Progress Software, the makers of the MOVEit Transfer tool, publicly disclosed that cyber criminals had found a way to break into its software. MOVEit is a prominent piece of software designed to move sensitive files securely and is popular with organizations globally, with most of its customers based in the United States. The hack involved criminals exploiting a vulnerability to gain access, which then allowed them to infiltrate the databases of potentially hundreds of other companies that used the file transfer tool. The US Cybersecurity and Infrastructure Security Agency issued a warning to firms using MOVEit, instructing them to download a security patch to prevent further breaches. Progress Software stated it alerted its customers as soon as the hack was discovered and quickly released a downloadable security update. A spokesperson for the company said it was working with police to combat increasingly sophisticated and persistent cybercriminals.

In the United Kingdom, the payroll services provider Zellis was identified as one of the companies affected by this mass hack. Zellis confirmed that a small number of its customers had been impacted by this global issue. The company stated that as soon as it became aware of the hack, it took immediate action by disconnecting the computer server on which the MOVEit software was installed. Zellis brought in an expert external security team to help it respond to the attack and notified the relevant UK data authorities. The company said that data from eight of its client firms had been stolen, though it initially did not reveal their names. These organizations independently began issuing warnings to their staff.

The BBC, British Airways (BA), Boots, and Aer Lingus were among the large UK organisations confirmed to be affected as customers of Zellis. Staff at these organisations were warned that sensitive personal data had been stolen. In an email to employees, the BBC stated the stolen data included staff ID numbers, dates of birth, home addresses, and national insurance numbers. Staff at British Airways were warned that some individuals may have had their bank details stolen. Boots and Aer Lingus also notified their employees that personal data, including national insurance numbers, may have been compromised. There were no immediate reports of ransom demands being sought from individuals or of money being stolen directly.

Microsoft attributed the attacks to a threat actor known as Lace Tempest, which is known for ransomware operations and for running the Clop extortion website. This group is thought to be based in Russia. Microsoft stated the hackers responsible had used similar techniques in the past to steal data and extort victims. The National Crime Agency (NCA) in the UK confirmed it was aware a number of UK-based organisations had been impacted by the cyber incident as a result of the previously unknown security flaw in MOVEit Transfer. The NCA stated it was working with partners to support those organisations and understand the full impact on the UK. The UK's National Cyber Security Centre said it was monitoring the situation and urged all organisations using the compromised software to carry out the necessary security updates.

A security researcher noted that internet scans revealed thousands of company databases could still be vulnerable, as many affected firms had yet to install the security fix provided by Progress Software. Experts stated it was likely the cyber criminals would attempt to extort money from the organisations rather than from individuals. Although no ransom demands had been made public at the initial stage, it was expected that cyber criminals would begin emailing affected organisations to demand payment, likely threatening to publish the stolen data online for other hackers to access. The victim organisations reminded their staff to be vigilant of any suspicious emails that could lead to further cyber attacks.

Subsequently, the hacking gang known as Clop began posting profiles of victims on its darknet website, which it uses as a leak site to pressure companies into paying a ransom. The gang added the names, websites, and company addresses of nearly 50 victims in small batches. These organisations included banks, universities, travel firms, and software companies from more than a dozen countries, including the US, Germany, Switzerland, the UK, Canada, and Belgium. Some of the companies listed on the leak site separately confirmed they had data stolen. Clop threatened to publish the stolen data unless victims paid a ransom, which was likely to be hundreds of thousands of dollars or more in Bitcoin. Notably, however, the names of the BBC, BA, and Boots were not posted on Clop's leak site.

In a direct email exchange with the BBC, the Clop gang claimed they did not possess the data belonging to these large UK organisations. The cyber criminals repeatedly stated, "We don't have that data and we told Zellis about it. We just don't have it. We are an old group and have never deceived anyone, if we say that we do not have information, then we do not have it." They also claimed, "we didn't sell anything to other hackers." This claim raised several possibilities, including that another unknown hacking gang may have stolen the data or that Clop was not being truthful. Zellis would not comment on these claims, referring only to its previous statement, as a police investigation was ongoing.

Cyber-security experts expressed puzzlement over Clop's claims, which further complicated an already complex situation. One threat researcher suggested Clop could be covering up the fact it stole the data as part of a sale deal with another hacking group. Other experts posited that if Clop was telling the truth, it could mean other hackers had infiltrated the systems and stolen the data before Clop had the chance, making the situation less predictable and increasing the likelihood the files would eventually appear on the darkweb via another group. Since the initial MOVEit disclosure, researchers had found many other security issues within the software, meaning it was possible the data was stolen in a different way by a different group.

The incident impacted a significant number of organisations globally, with hundreds thought to have had their data stolen through the exploitation of the MOVEit software. The full scope and consequences of the breach were still being assessed. In response to the broader threat, the United States government announced a reward of ten million dollars for information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government. The incident highlighted the risks associated with supply chain security, where breaching a single software provider can lead to the compromise of multiple downstream customers. The affected organisations and authorities continued their investigations into the breach and its full impact.