BBC staff warned A vulnerability in a software tool used by the company that manages their payroll may have been exploited to put their personal data in the hands of cybercriminals.
There are a lot of moving parts here, so I’ll give a quick recap here.
BBC – British Broadcasting Company. That employee’s data can be misused by cybercriminals.
IBM – Companies that have subcontracted work to Zellis.
Zelis – The company that managed the BBC’s payroll services via IBM, apparently using a program called MOVEit Transfer.
progress – Developer of MOVEit Transfer. critical vulnerability.
Cl0p – A Russian-speaking ransomware extortion group is allegedly involved in the breach.
According to the BBC, Zelis said he had seen no evidence that employee bank account details had been exposed in a data breach.
Even if that’s true, enterprising criminals are turning fraud, identity theft, and even simple attacks against affected businesses that don’t want their employee details exposed on the dark web. There may still be plenty of opportunities for extortion.
It’s important to realize that blaming the BBC, Boots, British Airways, IBM, or even Xerith for this data breach is like shooting Messenger instead of actually being responsible. It is important.
Progress, developers of the buggy MOVEit Transfer software, have some apparently difficult questions to answer, and hopefully they’ll release a patch for this problem soon.
But ultimately the true bad guys in this story are the malicious hackers who have exploited their flaws to make a criminal fortune.
Recommended reading for organizations using MOVEit Transfer. Progress Security Informationtake the recommended steps to mitigate the threat.
Unfortunately, if data has already been stolen, it is the responsibility of the company to notify affected individuals and businesses and report the incident to regulators.