Payroll services provider Zellis is the latest firm to have been targeted by the MOVEit cyber breach, confirming that personal data from eight client firms has been stolen.
British Airways, the BBC, Boots, and other major organisations are among Zellis customers to have had personal data and bank details compromised following the exploitation of a zero-day flaw in file transfer system MOVEit.
The BBC has warned employees of stolen data including staff ID numbers, home addresses, national insurance numbers and dates of birth, while other firms have warned of bank details being compromised following the breach.
Reports of the attack first surfaced last week following a zero-day vulnerability in MOVEit, built by Progress Software, with organisations continuing to discover the extend of the breach and warning staff of potential data loss.
Thousands of firms are understood to have been impacted by the breach.
A spokesperson from the National Cyber Security Centre, says: “We are working to fully understand UK impact following reports of a critical vulnerability affecting MOVEit Transfer software being exploited.
“The NCSC strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates.”
Achi Lewis, Area VP Emea for Absolute Software, comments: “Prevention of cyber-attacks is always the preference, but supply chains add additional risk to an organisation’s cyber protections, providing threat actors with an extra way in beyond internal defences. Supply chain attacks can be a lucrative attack method for cybercriminals due to the knock-on impact a breach can have on multiple targets and represents an area of risk that organisations must factor into detection and prevention strategies.”