Russian hackers could release the details of thousands of people employed by airlines British Airways and Aer Lingus, along with retail giant Boots and broadcaster BBC. According to reports the cyber attack on Zellis, a payroll processing payroll company may have included personal data such as bank account numbers, names, addresses and national insurance numbers.
The National Cyber Security Centre confirmed it was “working to fully understand the UK impact” of the hack which could stretch to hundreds of thousands of people. So far British Airways, Aer Lingus, Boots and BBC have confirmed they are affected by the breach.
IAG airline, British Airways sent an urgent email to staff on Monday to advise them of the incident which could affect all 34,000 employees. The "cyber security incident which has led to the disclosure of personal information about colleagues paid through British Airways’ payroll in the UK and Ireland." the company said.
The Irish carrier and also part of IAG, Aer Lingus, said details of current and former employees, including their national insurance numbers, had been stolen in the data breach, although a spokesperson assured: "no financial or bank details relating to Aer Lingus current or former employees were compromised in this incident."
According to the Telegraph the hackers hit Zellis through a backdoor system called MOVEit which is often used to move files. At this stage, the current attack is said to affect eight company customers of Zellis, yet the other four firms have not been disclosed.
Zellis issued the following statement "We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring. We have also notified the ICO, DPC, and the NCSC in both the UK and Ireland."