One year on – the extent of the MOVEit data hack is just becoming clear 


More than a year after the initial incident, the global repercussions of a significant data breach involving Progress Software’s MOVEit Managed File Transfer (MFT) tool are becoming increasingly clear. This breach, which was orchestrated by the Cl0p gang, has had a profound impact on numerous organisations across the globe, including many in the UK  

How the MOVEit data breach has affected people in the UK

The MOVEit data breach has affected several prominent UK organisations, including payroll provider Zellis.  

Zellis, which provides payroll services to many well-known companies, reported that several of its clients, including British Airways and Boots, were affected by the breach. The compromised data included sensitive information like bank details, national insurance numbers, and contact details, putting thousands at risk of identity theft and financial fraud. 

British Airways, one of Zellis’ clients, revealed that around 34,000 employees had their personal data accessed. Similarly, Boots reported that 50,000 staff members were affected, and the BBC confirmed that employee data had been compromised. Other organisations such as Aer Lingus, Ofcom, and Ernst & Young also fell victim to the breach, with varying degrees of data exposure. 

The wider impact of the MOVEit breach

The MOVEit breach is part of a global incident affecting over 2,700 organisations and nearly 95 million individuals. The sheer scale of the hack underscores the critical need for robust cybersecurity measures and international cooperation to combat cybercrime. 

Most recently, the University System of Georgia (USG), which oversees 26 higher education institutions in the USA, confirmed that it was the victim of the MOVEit attack. This shows that the number of affected organisations is still rising, despite a year having passed since the incident was discovered.  

Understanding the delayed impact of data breaches

When a data breach occurs, the immediate focus is often on containment and mitigation. However, the full impact of such incidents frequently remains unclear until months or even years after the initial breach is discovered. This delayed awareness can have profound consequences for affected individuals.  

Cyber-attacks today are highly sophisticated and often involve multiple stages. Attackers may remain in systems undetected for extended periods, gradually exfiltrating data. Stolen data is not always used immediately. Cybercriminals may wait before exploiting the information or selling it on dark web markets. This delayed misuse means that victims might only discover the breach’s repercussions – such as identity theft or financial fraud – long after the initial incident. 

For example, in the 2017 Equifax breach, the sensitive information of 147 million people was compromised. The breach’s impact continued to surface for years, with victims experiencing ongoing issues related to identity theft and financial fraud long after the breach was first reported. 

The MOVEit data breach is another example of how the full impact of a breach can unfold over time. And, as the extent of the hack becomes clearer, individuals must adopt a long-term approach to data protection. This includes:  

  • Staying informed: Keep abreast of news and updates regarding breaches that may affect your personal data.  
  • Monitoring your finances: Regularly check bank statements, credit reports, and other financial accounts for unusual activity. Consider using credit monitoring services. 
  • Implementing security best practices: Use strong, unique passwords for different accounts, enable multi-factor authentication, and be cautious of phishing attempts. 

For those affected by the MOVEit data breach, taking legal action can provide a path to compensation and justice. By standing up for your rights, you not only seek redress for your own losses but also contribute to the broader effort to hold organisations accountable for protecting personal data. 

At KP Law, our cyber experts are investigating the breach to find out what happened, and which organisations are involved. If you receive notification that you are affected by this data breach, register below to make a no-win, no-fee compensation claim. 

In March 2024, our firm changed its name to KP Law. 

Share this article: