Serious data breach affects personal information of tens of thousands of British Airways, Boots and BBC staff

On 5th June 2023, British Airways, Boots and BBC all announced that Zellis, their payroll services provider in the UK, had been victim of a successful cyber-attack, as a result of which the personal data of their staff had been hacked. 

Responsibility for the cyber-attack was claimed by the notorious Russian ransomware group C10p (Clop).  It is reported that they exploited a vulnerability in Progress Software's MOVEit file transfer tool, used by Zellis. Zellis have not confirmed whether or not any other of its clients have also been affected. However, it has been reported that Aer Lingus, the Nova Scotia Government and the University of Rochester in New York State have also been affected by the cyber-attack.
 
British Airways informed staff that employees' names, dates of birth, addresses, pay details, and banking information had been accessed.  The BBC stated that it believed that employees’ company ID and national insurance numbers were compromised but not banking information. Boots stated that the staff names, surnames, employee numbers, dates of birth, email addresses, home addresses, and national insurance numbers had been breached for a “very small number” of employees.
 
On the evening of 6th June 2023, Clop posted a notice on its darknet site stating that they had information on “hundreds of companies” and warning the affected organisations to contact them by 14th June 2023 to agree a ransom payment or they would publish the stolen data.
 
Sean Humber, a data breach specialist and partner at Leigh Day, who has successfully acted in a series of claims relating to the unauthorised disclosure of confidential information over the last 20 years, including claims against large multinational companies, stated:
 
“This is a serious data breach, particularly in the cases where financial information has been taken.  Clearly, for hackers to be able to access this personal data, something has gone badly wrong.  It will be important to critically review the adequacy or otherwise of the security measures in place and who bears responsibility for any shortcomings identified.  If it turns out that the security measures were not adequate, it is likely that those affected are likely to be entitled to compensation for the distress caused by the breach as well as any financial losses that they may have suffered.”
 
Gene Matthews, a partner at Leigh Day, who has successfully acted in a succession of large group claims over the last 20 years, added:
 
“This is likely to be a deeply worrying time for those who have been affected.  It is vital that the full extent of the data breach is clarified without further delay.  This means identifying all organisations that have been affected and what employee personal data from these organisations has been accessed.”
 
If you have been affected by this data breach and wish to register an interest in bringing a claim for compensation, without any obligation, please get in touch. 

*This article was updated on 7/6/23