Thousands of Companies' Data Stolen Through MOVEit Flaw

Hackers have gained copies of files uploaded to Progess Software's file transfer system dubbed MOVEit, affecting numerous high-profile victims, including British Airways, the BBC, and Boots UK Limited. The flaw in the software has prompted security warnings from Microsoft, Google, the UK National Cyber Security Centre, and the US Department of Homeland Security.

Publicly available data sources indicate that there are thousands of other companies currently using vulnerable versions of the software in question, and an internet search performed by Bloomberg News revealed that law firms, health-care organisations and IT firms are among those affected. It is assumed that all companies using the software have had their data compromised.

Microsoft have identified the hackers as the same group of cybercriminals who run the Clop ransomware (and operate under the same name). The Clop group have previously been responsible for attacks on two other secure file transfer products: one developed by Kiteworks, and the other developed by Fortra.

In previous attacks, the Clop group have demanded ransoms in exchange for not uploading company data online, and it is expected that the same will be true for companies affected by the MOVEit flaw. A representative for the Clop group claimed it deleted data stolen from "military, GOV, children's hospitals, police." When asked how many companies were breached, the representative replied, "You all recognise them if they refuse to pay, they will appear on our blog."

"When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps," Progress spokesperson John Eddy said in a statement. Charles Carmakal, chief technology officer at Mandiant says he expects "the extortion communications to start anytime within the next four weeks or so. There is a lot of data that the threat actor has to sort through. When the extortion starts, it will probably carry on for a few months."

British Airways, the BBC, and Boots UK Limited alerted their staff that their personal information may have been compromised by an attack on their payroll provider, Zellis. In a statement, Zellis said "Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring."

British Airways employees had names, surnames, dates of birth and banking details compromised in the attack, according to a spokesperson for the carrier. Boots said "Employees' personal details were affected. The server was disabled and staff have been made aware." The BBC confirmed it had been affected, and a spokesperson said they were urgently trying to establish the extent of the data breach.

"Government is working to determine exactly what information was stolen and how many people have been impacted," said a spokesperson for the Nova Scotia government, who is investigating the theft of personal information related to the MOVEit vulnerability.

"This is a typical case of a supply chain attack targeting multiple companies at once that hold extremely sensitive data on employees," said Jake Moore, for cybersecurity firm ESET. "The security patch on offer is absolutely vital and should have now been installed by all affected companies to remain protected."