Cyber hackers
The mass hack targeted MOVEit software, a widely used platform designed to securely transfer sensitive files. Kacper Pempel/Illustration

In a significant security incident, confidential data relating to several companies regulated by Ofcom and the personal information of 412 employees were downloaded during a large-scale hack.

The breach has impacted multiple firms, including British Airways, the BBC and Boots. Transport for London (TfL) also confirmed its exposure. The mass hack targeted MOVEit software, a widely used platform designed to securely transfer sensitive files such as employee addresses and bank account details.

Upon discovering the breach, Ofcom swiftly alerted all affected companies under its regulation and reported the matter to the Information Commissioner's Office (ICO), the data and privacy watchdog. Fortunately, no payroll data was compromised in the incident.

Ofcom stated: "A limited amount of information about certain companies we regulate – some of it confidential – along with personal data of 412 Ofcom employees, was downloaded during the attack. We took immediate action to prevent further use of the MOVEit service and to implement the recommended security measures. We also swiftly alerted all affected Ofcom-regulated companies, and we continue to offer support and assistance to our colleagues."

Ofcom also confirmed that none of its own internal systems were compromised during the attack.

Transport for London, responsible for public transport in the capital, confirmed its involvement in the breach. TfL explained that one of its contractors had suffered a data breach. The organisation promptly addressed the issue, securing its IT systems and assured that the compromised data did not include banking details. TfL is in the process of informing all affected parties, and the ICO has been notified.

Accountancy firm Ernst & Young (EY) also disclosed that it fell victim to the hack. Upon becoming aware of the problem with MOVEit, EY immediately launched an investigation into its usage of the tool and took urgent steps to safeguard any potentially compromised data.

While the majority of EY's systems utilising the software remained unaffected, the company stated: "We are manually and thoroughly investigating systems where data may have been accessed. Our priority is to first communicate to those impacted, as well as the relevant authorities. Our investigation is ongoing."

This breach is categorised as a "supply-chain attack" and first came to light when US company Progress Software reported that hackers had exploited a vulnerability in its MOVEit Transfer tool. The security flaw was leveraged by the hackers to gain unauthorised access to several companies. Interestingly, even organisations not directly using MOVEit were affected due to third-party arrangements.

For instance, the BBC had data stolen from both current and former employees because Zellis, the payroll processing company used by the broadcaster, employed MOVEit and became a victim of the breach. It is estimated that eight companies utilising Zellis are affected, including British Airways, Aer Lingus and Boots. Additionally, dozens of other UK companies are believed to utilise MOVEit.

The criminals responsible for the breach are linked to the notorious Clop ransomware group, which is thought to be based in Russia. These hackers have issued threats to publish the data of companies that fail to initiate negotiations by sending an email before a specified deadline. BBC cyber correspondent Joe Tidy explained that the Clop group is known for following through on their threats, and it is highly likely that private data from affected organisations will be disclosed on the gang's darknet website in the coming weeks.

Tidy further noted that victims who do not appear on Clop's website may have secretly paid the group a ransom, potentially amounting to hundreds of thousands or even millions of dollars worth of Bitcoin. However, victims are strongly encouraged not to pay, as doing so only fuels the growth of these criminal enterprises, and there is no guarantee that the hackers will refrain from using the data for secondary attacks.

The aftermath of this mass hack serves as a stark reminder of the urgent need for enhanced cybersecurity measures, stringent supply-chain security protocols and swift response mechanisms to mitigate the potential damages caused by such breaches. Organisations must prioritise the protection of their systems and sensitive data to safeguard against future attacks and preserve the trust of their stakeholders.

Read more