British Airways (BA) has revealed that all of its UK-based salaried staff have been involved in a cyber incident that has exposed personal data including banking and contact details to hackers.
Last week, a so-called zero-day vulnerability — a flaw that has been exploited by cybercriminals — appeared in the file transfer system MOVEit produced by Progress Software.
It allows hackers to use MOVEit Transfer to access information on a range of global companies.
Thousands of companies are understood to have been affected.
U.K.-based payroll provider Zellis confirmed on Monday that eight of its clients were among them.
It did not name the organizations.
However, British Airways confirmed it had been involved in the incident.
The airline employs 34,000 people in the UK.
Boots, which employs 50,000 people, said it was also affected.
The Telegraph reported that the BBC was also one of the organizations involved in the hack, adding that the attack was linked to a Russian group.
BA and Boots are both clients of payroll specialist Zellis, which has severed ties with MOVEit
Since the outbreak of the Ukraine war, there has been a spate of Russia-linked cyber-attacks, with Western governments, agencies and companies aimed at turning their backs on Russia.
In this case, the leaked information included contact details, National Insurance numbers and bank details.
BA told Sky News: “We have been advised that we were one of the companies affected by the Zellis cybersecurity incident, which occurred through one of their third-party suppliers, MOVEit.
“Zellis provides payroll support services to hundreds of companies in the UK, and we are one of them.
“This incident occurred due to a new, previously unknown vulnerability in the widely used MOVEit file transfer tool. We have notified colleagues whose personal information was compromised to provide support and advice.”
A Boots spokesperson said: “A global data breach impacted third-party software used by one of our payroll providers, which included some personal details of our team members.
“Our provider assured us that immediate steps were taken to disable the server, and we have let our team members know as a matter of priority.”
In his own statement, Zellis said: “A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product.
“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.
“No Zellis-owned software was impacted, and there have been no related incidents or compromises to any other part of our IT estate.
“As soon as we became aware of the incident, we took immediate action to disconnect the server using the MOVEit software and engaged an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”