Hacking announcements by DHL, Transport for London, Ofcom and Ernst & Young likely to lead to substantial claims for compensation

On 5th June 2023, British Airways, Boots and BBC all announced that Zellis, their payroll services provider in the UK, had been the victim of a successful cyber-attack, as a result of which the personal data of their staff had been hacked. Responsibility for the cyber-attack was claimed by the notorious Russian ransomware group C10p (Clop). It is reported that they exploited a vulnerability in the MOVEit file transfer software, used by Zellis as well as many other companies. On 6th June 2023, Clop posted a notice on its darknet site stating that they had information on “hundreds of companies” and warning the affected organisations to contact them by 14th June 2023 to agree a ransom payment or they would publish the stolen data.

Over the last week, other organisations have come forward to confirm that they have also been affected by the cyber-attack, either through using Zellis as a payroll services provider or through their use of the MOVEit software directly.

DHL have confirmed that they used Zellis as their payroll provider in the UK and that employee personal data may have been accessed. This includes employee number, first name, surname, date of birth, National Insurance No., first line of address, email address, employment start date and employment end date.

Transport for London (TfL) have confirmed that one of its contractors who used MOVEit has been affected by the cyber-attack and they were writing to all involved to make them aware of the incident, although also confirmed that it did not affect customer information and that banking details were not affected.

Ofcom have confirmed that confidential data about some companies that they regulate, as well as personal information from 412 employees, was downloaded during the cyber-attack.

Accountancy firm Ernst & Young (EY) have also confirmed that they used MOVEit, that some of their systems may have been accessed and that they were informing those affected.

Sean Humber, a data breach specialist and partner at Leigh Day, who has successfully acted in a series of claims relating to the unauthorised disclosure of confidential information over the last 20 years, including claims against large multinational companies, stated:

“Day by day, the seriousness of the cyber-attack becomes clearer as further organisations confirm that they have been affected. Sadly, I fear we don’t yet have the full picture and that other organisations are likely to come forward in the coming days. If it turns out that the security measures in place to protect the data were not adequate, those whose personal data has been affected are likely to be entitled to compensation for the distress caused by the breach as well as any financial losses that they may have suffered.”

Gene Matthews, a partner at Leigh Day, who has successfully acted in a succession of large group claims over the last 20 years, added:

“This is likely to be a deeply worrying time for those who have been affected. It is vital that the full extent of the data breach is clarified without further delay. This means identifying all organisations that have been affected and what employee personal data from these organisations has been accessed.”

If you have been affected by this data breach and wish to register an interest in bringing a claim for compensation, without any obligation, please get in touch.