The cybercriminals behind the recent ransomware attack on UK payroll company Zellis have exploited a vulnerability in Progress Software’s MOVEit file transfer app. The hackers have demanded payment from at least 8 customers of Zellis, including British Airways, Aer Lingus, Boots, and the BBC. The victim companies have been given until 14th June to negotiate ransom payments, or else hundreds of thousands of employees’ data will be published online. The stolen data includes national insurance numbers, home addresses, and bank details.
Russian ransomware gang Clop has claimed responsibility for the attack and has said that it possesses information on hundreds of other companies. Roughly 42% of FTSE 100 companies are Zellis customers, paying over £28bn annually via Managed Services.
According to Simon Newman, Advisory Council member of the International Cyber Expo, cyber criminals are increasingly targeting supply chains, which are often long and complex. The ability to breach the security of a supplier provides a potential back door into larger organisations, and as the third party typically provides services to other firms, the scale and scope of the attack can be far greater. Nonetheless, only 13% of businesses regularly review the risks posed by their immediate suppliers, according to the Cyber Breaches Survey 2023. Addressing this, the National Cyber Security Centre (NCSC) has issued new guidance on supply chain security to boost awareness and encourage best practice.
Ray Kelly, Fellow at Synopsys Software Integrity Group, noted that the Zellis attack underlines the importance of safeguarding the software supply chain when it comes to data privacy. In this instance, a single vulnerability in a piece of software run by a third-party vendor paved the way for the exposure of employee data across several client companies. Kelly expects GDPR fines to be assessed on multiple organisations involved in the incident, because the software supply chain aspect complicates the situation.
The attack is a harsh reminder of the value of data to cyber criminals and the pressure placed on businesses to pay large ransoms to prevent data loss. Therefore, Javvad Malik, lead security awareness advocate at KnowBe4, recommends that organisations implement multi-layer cybersecurity defences, carry out employee awareness training in cybersecurity, and maintain a tested incident response plan. Paying criminals to release data rarely results in its safe return and merely exposes the payer to further ransomware attacks in the future, according to Newman.