Shell latest company to confirm that employee and customer data are affected by Clop cyber-attack

On 5 June 2023, British Airways, Boots and BBC all announced that Zellis, their payroll services provider in the UK, had been the victim of a successful cyber-attack, as a result of which the personal data of their staff had been hacked. Responsibility for the cyber-attack was claimed by the notorious Russian ransomware group C10p (Clop). It is reported that they exploited a vulnerability in the MOVEit file transfer software, used by Zellis as well as many other companies.

Over the following days, other organisations, including DHL, Transport for London, Ofcom and Ernst & Young came forward to confirm that they were also affected by the cyber-attack, either through using Zellis as a payroll services provider or through their use of the MOVEit software.

Now more companies have come forward to confirm that they have been affected by the cyber-attack. These include Shell who confirmed that the MOVEit software was used by “a small number of Shell employees and customers” and that they were in touch with those affected. It is not clear what customer or employee personal data has been affected.

On 6 June 2023, Clop posted a notice on its darknet site stating that they had information on “hundreds of companies” and warning the affected organisations to contact them by 14 June 2023 to agree a ransom payment or they would publish the stolen data. Following the expiry of the deadline, Clop appears to have started posting stolen data. On 16 June 2023, Clop posted a message "SHELL.COM DO NOT WANT TO NEGOTIATE - DATA POSTED !!!" together with links to downloadable files.

Sean Humber, a data breach specialist and partner at Leigh Day, who has successfully acted in a series of claims relating to the unauthorised disclosure of confidential information over the last 20 years, including claims against large multinational companies, stated:

“Sadly, the number of organisations affected by this cyber-attack continues to grow. If it turns out that the security measures in place to protect the data were not adequate, those individuals whose personal data has been affected by these data breaches are likely to be entitled to compensation for the distress caused by the breach as well as any financial losses that they may have suffered.”

Gene Matthews, a partner at Leigh Day, who has successfully acted in a succession of large group claims over the last 20 years, added:

“This is likely to be a deeply worrying time for those who have been affected. It is vital that the full extent of the data breach is clarified without further delay. This means identifying all organisations that have been affected and what employee personal data from these organisations has been accessed.”

If you have been affected by this data breach and wish to register an interest in bringing a claim for compensation, without any obligation, please get in touch.