020 7650 1200

Man Typing Hacker

Leigh Day launches investigation of data breach legal claim for British Airways, BBC, Boots and DHL employees following mass hack of personal data

Leigh Day has launched an investigation of a data breach legal claim on behalf of British Airways, BBC, Boots and DHL employees following mass hack of personal data through payroll systems.

Posted on 20 July 2023

Many thousands of workers are believed to have been affected by the cyber-attack in June 2023 which exploited a vulnerability in a widely used file transfer tool called MOVEit, supplied by Progress Software, to access organisations’ IT systems.

One of the organisations affected is Zellis, a company providing payroll services to companies in the UK including British Airways (BA), BBC, Boots and DHL. As a result of the attack on Zellis, the personal data of current and former employees of BA, BBC, Boots and DHL has been accessed. Zellis issued a statement confirming that it had suffered a data breach affecting some of its customers. BA, BBC, Boots and DHL have since contacted those employees and ex-employees affected to notify them that their personal data has been hacked.

Leigh Day has been contacted by up to 200 employees who have been notified by their employers that they have been affected by the data breach. The law firm is investigating potential claims for compensation on their behalf.

The data breach includes:

  • In the case of BA: employees’ names, contact details (home address and work email), dates of birth, national insurance numbers, banking details (account number and sort code), pay and reward details and other ancillary data relating to the employees’ roles.
  • In the case of the BBC: BBC ID Number, Title, First Name, Last Name, Date of Birth, National Insurance Number, Address line 1, BBC Email Address, BBC Employment or Engagement Start Date, BBC Employment or Engagement End Date.
  • In the case of Boots: title, first name, surname, employee number, date of birth, email address, the first line of home address, national insurance number and employment start and end date.
  • In the case of DHL: employees’ DHL payroll number, first name, surname, date of birth, National Insurance Number, first line of address and employment start date and employment end date (for leavers).

IT specialists have attributed the cyber-attack to the notorious Russian ransomware group C10p (Clop), on the basis of its similarity to previous attacks by the group. Clop have also posted a notice on their darknet site stating that they had exploited vulnerabilities in the MOVEit software to download data from “hundreds of companies” and warned affected organisations to contact them to agree a ransom payment or they would start publishing the stolen data. Following the expiry of the deadline, Clop have started naming companies and posting stolen data. To date, they do not appear to have identified Zellis, BA, BBC, Boots or DHL.

The investigation of legal claim for compensation is being led by Leigh Day data breach claims specialist lawyers, Sean Humber and Gene Matthews.

Sean Humber, a partner at Leigh Day, who has successfully acted in a series of claims relating to the unauthorised disclosure of confidential information over the last 20 years, including claims against large multinational companies, stated:

“This is a serious data breach. Clearly, for hackers to be able to access this personal data, something has gone badly wrong. It will be important to critically review the adequacy or otherwise of the security measures in place and who bears responsibility for any shortcomings identified. If it turns out that the security measures were not adequate, it is likely that those affected are likely to be entitled to compensation for the distress caused by the breach as well as any financial losses that they may have suffered.”

Gene Matthews, a partner at Leigh Day, who has successfully acted in a succession of large group claims over the last 20 years, added:

“This is likely to be a deeply worrying time for those affected, particularly if their financial details have been compromised. These kinds of data breaches can leave those affected at increased risk of fraud and identity theft.”

If you have been affected by this data breach and wish to further information about joining the claim, on a “no win, no fee” basis with no up-front payment required, please click here.

Sean Humber
Data protection and privacy Discrimination Environment Human rights Judicial review

Sean Humber

Sean is an experienced human rights lawyer and privacy breach compensation claims specialist

Gene Matthews
Clinical trials Data protection and privacy Diesel emissions claims Group claims Human rights Medical devices Product safety

Gene Matthews

Gene specialises in consumer law, product liability and data protection claims mainly brought as group claims/ multi-party actions

Group Claim
Hacker Data Breach
over 350 clients already signed up

MOVEit - Zellis data breach claim

Claim against: MOVEit-Zellis