Cyber Incident Victim: Aer Lingus

On or around May 28, 2023, a significant cybersecurity incident was disclosed involving the exploitation of a previously unknown security flaw in Progress Software’s MOVEit Transfer tool. This software is designed for the secure transfer of sensitive files and is used by numerous organizations worldwide, with a large customer base in the United States. The cyber criminals responsible for the attack leveraged this vulnerability to gain unauthorized access to the systems of multiple companies in a single, coordinated action, making it a mass supply-chain attack. The incident impacted a wide range of prominent organizations, including the BBC, British Airways, Boots, and Aer Lingus, indicating the broad scope and severe consequences of the breach.

Progress Software, the US-based developer of MOVEit, first publicly disclosed the hack during the preceding week. The company stated it had discovered that hackers had found a way to break into its software product. Upon discovery, Progress Software immediately alerted its customer base and quickly released a downloadable security update designed to patch the vulnerability and prevent further unauthorized access. A spokesperson for the firm confirmed it was working with law enforcement agencies to combat what it described as increasingly sophisticated and persistent cybercriminals who are intent on maliciously exploiting vulnerabilities in widely used software products.

In the United Kingdom, the payroll services provider Zellis was identified as one of the companies directly affected by the breach. Zellis confirmed that data from eight of its client firms had been stolen as a result of the attack on its systems. While Zellis did not publicly reveal the names of all its affected clients, several major organizations independently issued warnings to their staff. The BBC informed its employees via email that the stolen data included staff ID numbers, dates of birth, home addresses, and national insurance numbers. British Airways warned its staff that for some individuals, bank details may have been stolen. Similarly, Aer Lingus and Boots were confirmed to be among the victims whose employee data was compromised.

The nature of the stolen data was consistently reported as highly sensitive personal information. This included national insurance numbers, which are critical identifiers in the UK, and in specific cases, banking information. There were no initial reports of ransom demands being made public or of money being directly stolen from individuals as an immediate consequence of the breach. However, experts monitoring the situation indicated it was highly likely the cyber criminals would subsequently attempt to extort money from the victim organizations themselves rather than targeting individuals directly. The expected method of extortion involved threatening to publish the stolen data online on cybercrime forums, thereby exposing affected individuals to further risks such as identity theft and targeted phishing attacks.

In response to the growing threat, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an official warning on May 25, 2023, instructing all firms that use the MOVEit software to download and apply the available security patch immediately to prevent further breaches. Despite this directive and the availability of the fix, security researchers conducting internet scans found that thousands of company databases running the software remained vulnerable. Many affected organizations had not yet installed the necessary update, leaving them exposed to continued exploitation by the same threat actors or by other groups who might attempt to use the same vulnerability.

Official attribution for the attack was initially not confirmed by law enforcement. However, Microsoft provided analysis linking the activity to a known threat group. In a blog post, the US tech giant stated it attributed the attacks to a threat actor it tracks as Lace Tempest. This group is known for its ransomware operations and for running the Cl0p extortion website, a platform frequently used to publish stolen data from victims. Microsoft noted that the hackers responsible had employed similar techniques in past incidents to steal data and extort their victims. The connection to Cl0p, a notorious ransomware group believed to be based in Russia, pointed to a highly organized and capable set of attackers.

Within the UK, the National Cyber Security Centre (NCSC) acknowledged it was monitoring the situation closely. The NCSC urged all organizations using the compromised MOVEit software to carry out the recommended security updates without delay to protect their systems. Simultaneously, the National Crime Agency (NCA) confirmed it was aware a number of UK-based organizations had been impacted by the cyber incident as a direct result of the MOVEit security flaw. The NCA stated it was working with its partners to support the affected organizations and to understand the full impact of the breach on the UK.

The victim organizations began a process of internal response and notification. Beyond informing their staff of the data compromise, these companies issued reminders to employees to remain vigilant against any suspicious emails. This guidance was intended to mitigate the risk of follow-on cyber attacks, such as phishing campaigns that could use the stolen personal information to craft convincing and targeted messages. The primary goal was to prevent further security incidents stemming from the initial data theft.

The incident underscored the critical importance of supply chain security, as a vulnerability in a single, widely used software product enabled a cascading failure across multiple unrelated organizations. The attack demonstrated how cyber criminals could achieve maximum impact by targeting a central service provider like Zellis, which held sensitive data on behalf of its numerous corporate clients. The full scale of the data theft was not immediately quantifiable, but early indications suggested a large number of prominent organizations across different sectors had been impacted. The consequences for affected individuals included the potential for long-term exposure of their personal and financial details, necessitating ongoing vigilance. The collective response from software vendors, cybersecurity agencies, and law enforcement focused on containment through patching and investigation to assess the total damage.