Zellis

Zellis operates as a payroll services provider headquartered in the United Kingdom, delivering core processing solutions for employee compensation, tax compliance, and related human resources administrative functions. The organisation serves a significant portfolio of large-scale corporate and public sector clients, as evidenced by its role as the payroll provider for major entities including the BBC, British Airways, Boots, and Aer Lingus. This client base positions Zellis within a critical segment of the business supply chain, handling highly sensitive personal and financial data such as names, addresses, national insurance numbers, and, in some instances, bank details for staff across these organisations. The nature of its service requires robust data security and precise regulatory adherence, given the volume and sensitivity of the information processed on behalf of its clients. Zellis's operational model is built on managing complex payroll cycles for sizable workforces, making it an integral partner for the human resources and finance departments of its clients. The scope of its market reach is demonstrated by the high-profile national organisations that rely on its services, indicating a established footprint within the UK's corporate landscape.

A defining characteristic of Zellis, highlighted by a major cyber incident in May 2023, is its exposure to systemic third-party software risks. The organisation was compromised through a zero-day vulnerability in the MOVEit secure file transfer tool, a widely used enterprise application. This breach directly impacted Zellis's systems and subsequently led to the exposure of personal data for employees of its numerous clients. The incident involved the Clop ransomware gang, who exploited the vulnerability to access data, though they publicly stated they did not possess the specific information stolen from Zellis's client base. This event underscores Zellis's position as a high-value target within the payroll outsourcing sector due to the aggregated sensitive data it holds. It also illustrates the cascading threat model where a vulnerability in a single vendor's software can propagate across multiple large organisations. The breach prompted significant regulatory and public scrutiny, reinforcing the critical importance of cybersecurity hygiene for payroll processors that manage data for major employers. No explicit details regarding the organisation's ownership structure, parent company, or subsidiary relationships are provided in the available information.