July 13, 2024
BBC staffers warned of payroll knowledge breach. Different companies additionally affected by MOVEit vulnerability • Graham Cluley

Workers on the BBC have been warned that their private knowledge could now be within the fingers of cybercriminals, following the exploitation of a vulnerability in a software program instrument utilized by the corporate that manages their payroll.

There are many transferring elements right here, so right here’s a fast abstract.

BBC – The British Broadcasting Firm, whose workers’ knowledge could now be exploited by cybercriminals.

IBM – the corporate that outsourced the work to their contractor, Zellis.

Zellis – the corporate that was managing the payroll service for the BBC through IBM, and had been apparently utilizing a program referred to as MOVEit Switch.

Progress – the developer of MOVEit Switch, a file switch instrument which incorporates a critical vulnerability.

Cl0p – the Russian-speaking ransomware extortion gang which is being linked to the breach.

Signal as much as our free publication.
Safety information, recommendation, and ideas.

In accordance with the BBC, Zellis says it has not seen any proof that checking account particulars of its workers had been uncovered by the information breach.

Even when that’s true there should still be loads of alternatives for enterprising criminals to commit fraud, id theft, and even simply plain-old extortion of affected corporations who don’t need their workers’ particulars plastered over the darkish net.

Zellis has many different company clients together with British Airways and UK excessive road pharmacy Boots, whose hundreds of workers additionally look like affected.

It’s necessary to recognise that blaming the BBC, Boots, British Airways, IBM, and even Zellis for this knowledge breach is a case of taking pictures the messenger – fairly than these had been the fault actually lies.

Progress, the builders of the buggy MOVEit Switch software program, clearly have some troublesome inquiries to reply and let’s hope that they launch a patch for the issue quickly.

However finally the actual villains of this story are the malicious hackers who’ve exploited the flaw to make their prison fortunes.

Any organisation utilizing MOVEit Switch can be smart to learn Progress’s security bulletin, and take the suggested steps to mitigate the risk.

Sadly, if knowledge has already been stolen then the onus is upon what you are promoting to tell affected people and firms, in addition to reporting the incident to regulators.

Discovered this text attention-grabbing? Follow Graham Cluley on Twitter or Mastodon to learn extra of the unique content material we put up.


Graham Cluley is a veteran of the cybersecurity business, having labored for quite a lot of safety corporations because the early Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an unbiased analyst, he commonly makes media appearances and is a world public speaker on the subject of cybersecurity, hackers, and on-line privateness.
Comply with him on Twitter, Mastodon, Bluesky, or drop him an e-mail.