But now cybersecurity researchers are warning that this incident is far from over — the issue is much wider than previously thought and there are still serious consequences to come. The Standard understands that several other British firms have been affected by this cyberattack.
The Russian cybercriminal gang Clop has been active since February 2019, surviving many challenges, including server raids by Ukrainian police in June 2021, which included arrests of multiple Ukrainian hackers working for them. Clop has so far successfully attacked at least 230 firms, according to cybersecurity researchers.
Cyber attack targeted Windows’ security flaw
The attack occurred due to Zellis falling victim to a cyberattack via one of their third-party suppliers, a cloud storage “Dropbox for enterprises” service called MOVEit. MOVEit was running Microsoft’s Windows server applications and the hackers found a security flaw in these applications and used it as a door to Zellis’s payroll data.
However, MOVEit’s owner Progress says that they have more than 100,000 customers around the world. While we don’t know exactly how many are using the MOVEit software, this means that the issue potentially affects many more victims than we know of, because other companies could be using the software to store confidential corporate information in the cloud.
“Anyone that is running the MOVEit software should assume they might have been breached,” Rick Holland, the chief information security officer at global cybersecurity firm ReliaQuest told The Standard.
“Hopefully, everyone has kicked in their incidence response. According to our research, there are more than 1,000 servers [in the world] running unpatched versions of the software.”
He added that Clop essentially has a “treasure trove” of stolen information to sift through. They will go after large organisations that have the money to pay, but it could take a while before victims are notified or discovered that their data is compromised.
Huge risk of employee details being exposed online
Potentially tens of thousands of BBC employees could have been affected by the Zellis data breach
/ PA ArchiveUnfortunately, the Zellis cyberattack news is far from over — not for Zellis, Progress, or the tens of thousands of BBC, British Airways, Boots, and Aer Lingus employees, Mr Holland warns.
Clop has a website on the Dark Web where it routinely uploads data dumps from the companies it has breached. It has been reported in the media and by some researchers that Clop are ransomware attackers, but the gang are not using malware to lock up computers, with the threat of deleting the data if a Bitcoin ransom is not paid.
The fact that the BBC, British Airways, Boots, and Aer Lingus are not yet listed on the website shows that Clop, which are extortionists, are likely now in negotiation with these firms, according to Mr Holland. The gang makes money by threatening to expose confidential company data if it doesn’t get paid.
“Clop wants to negotiate with them. Typically, the way they work is to set up a chat and email function with the company and say, ‘Hey, pay us,’. Their first move is to negotiate,” he explains.
You might not even know you’ve been hacked
The other big issue is that, even if your firm has a good security team that has kicked into action and patched the Windows Server flaws for your servers that connect to the MOVEit software, they might still struggle to detect whether Clop has been by to pay a visit.
In order to detect a data breach, enterprises really need to be checking their server logs for the past 90 days, advises Mr Holland. Typically, many companies only keep 30 days’ worth of logs, which are then wiped, including’s ReliaQuest’s own customers.
Christopher Budd, senior manager for threat research at British cybersecurity firm Sophos, agrees: “It’s important to note that patching will not remove any webshells or other artefacts of compromise. This makes it critical that MOVEit customers include a check for compromise after deploying patches in addition to deploying patches. Patching alone is not sufficient.”
Clop used SQL injection attacks, which are a type of zero-day vulnerability.
“SQL injection is a command and many customers don’t have enough historical server logs pertaining to their file transfer service provider,” explains Mr Holland.
“Clop is a dangerous ransomware group and was one of the earlier adopters of extorting stolen data, not just pure-play ransomware. Given their propensity to exploit zero-day vulnerabilities, they demonstrate a technical capability beyond many extortion groups.”
Unfortunately, no-one can prevent zero-day vulnerability attacks, warns Mr Holland: “How quickly you respond and mitigate are the most viable courses of action. Rapid patching, abundant logging, and security monitoring are the best bets.”
Have you been affected?
British Airways, the BBC and Aer Lingus did not respond to Mr Holland’s comments on Clop extorting data breach victims.
BA said it was “deeply disappointed” that its staff were impacted by the Zellis cyberattack. The airline has provided affected employees with access to a specialist service that helps detect possible misuse of personal information and provides identity monitoring support.
A BBC spokesman said: “We are aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”
The BBC employee data disclosed includes first and last names, dates of birth, National Insurance numbers and the first line of their addresses.
An Aer Lingus spokeswoman said: “Aer Lingus has been notified by a third-party service provider (Zellis – provider of HR and payroll support services) that they have experienced a cybersecurity incident, which has resulted in a disclosure of some of our current and former employee data.
“However, it has been confirmed that no financial or bank details relating to Aer Lingus current or former employees were compromised in this incident. It has also been confirmed that no phone contact details relating to Aer Lingus current or former employees were compromised.”
Aer Lingus has established a dedicated phone line, email address and additional support from its cyber security and data privacy teams.
The Standard has contacted Progress and Boots for comment.
A Zellis spokeswoman told The Standard: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.”
She added that Zellis took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring, as well as notifying the ICO, DPC, and the NCSC in both the UK and Ireland.
