Advertisement

Russian hackers raid British Airways and BBC in cyber attack

File photo dated 09/10/2019 of a British Airways Boeing 747 plane takes off from Heathrow Airport. British Airways owner IAG has returned to profit as the airline industry continues to rebound from Covid-19. The company said it made an operating profit before exceptional items of 1.26 billion euro (£1.1 billion) in 2022, a swing from a 2.97-billion-euro (£2.62 billion) loss the year before. All its airlines were profitable last year. Capacity across the group - which also includes carriers such as Aer Lingus and Iberia - was at 87% of 2019 levels in the final quarter of 2022. IAG chief executive Luis Gallego said the premium leisure travel segment "performed very well" last year, with leisure bookings ahead of pre-coronavirus levels. Issue date: Friday February 24, 2023. PA Photo. See PA story CITY IAG. Photo credit should read: Steve Parsons/PA Wire - Steve Parsons/PA Wire

Thousands of British Airways, BBC and Boots employees may have had data including bank account details and national security numbers stolen in a suspected Russia-linked cyber attack.

Some of Britain’s biggest businesses were tonight scrambling to work out how much employee data had been stolen in a major breach thought to have affected as many as 100,000 British workers.

The National Cyber Security Centre said it was “working to fully understand the UK impact” of the incident.

British Airways, the BBC, Boots and Aer Lingus all confirmed they were victims of a hack targeted at Zellis, a company used to process payroll payments.

Security researchers said the cyber attack appeared to be linked to a Russian-speaking cybercrime group called Clop. Russian-linked gangs have stepped up attacks on the West in the wake of the Ukraine war.

BA on Monday wrote to all of its 34,000-strong workforce warning them of a “cyber security incident which has led to the disclosure of personal information about colleagues paid through British Airways’ payroll in the UK and Ireland”.

An email to BA staff – seen by the Telegraph – warned that the compromised information included names, addresses, national insurance numbers and banking details.

Boots, which employs 52,000 people in Britain, emailed employees to warn that data including home address and national insurance numbers had been stolen.

The BBC confirmed it had also been affected by the hack, with a significant majority of the broadcaster’s 22,000 employees believed to be hit.

A spokesman said: “We are aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach.

“We take data security extremely seriously and are following the established reporting procedures.”

Aer Lingus, which employs 4,000 people, said information on current and former employees, including their national insurance numbers, had been stolen in the breach. However, a spokesman said “no financial or bank details relating to Aer Lingus current or former employees were compromised in this incident.”

Zellis provides payroll services to a large number of major organisations including the NHS and Jaguar Land Rover. The hack is understood to have affected eight Zellis customers.

Hackers exploited a backdoor in a piece of software used by Zellis called MOVEit, which is used to transfer files.

Progress Software, the maker of MOVEit, first identified the vulnerability last week. It told customers to “take immediate action” and delete any unauthorised user accounts added by hackers.

Rafe Pilling, a principal researcher with cyber security company Secureworks, said his Counter Threat Unit team had observed the Russian-speaking Clop gang targeting vulnerable servers over the past few days.

He said: “We have a number of active and ongoing incident response tasks relating to this hack.”

Mr Pilling said the same gang was likely behind the latest attack.

BA and Aer Lingus both said they had told affected employees about the hack and provided advice on how to protect themselves.

A spokesman for Boots said: “A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members’ personal details.

“Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware.”

A spokesman for Zellis said: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.

“We have also notified the ICO, DPC, and the NCSC in both the UK and Ireland.

“We employ robust security processes across all of our services and they all continue to run as normal.”

A Progress Software spokesman said: “We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures.”

A spokesman for the Information Commissioner’s Office said: “Zellis has made us aware of an incident and we are assessing the information provided.”

Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month, then enjoy 1 year for just $9 with our US-exclusive offer.