Which hackers have the stolen employee data from the BBC, British Airways and Boots? 

data breach

In June 2023, hackers – believed to be part of Russian crime group Clop– exploited a security flaw in the MOVEit file transfer software. The breach affects several global organisations that use this software.  

Zellis provides payroll support services to hundreds of companies in the UK. Zellis used the software and eight of its clients are said to be impacted by the breach, including the BBC, British Airways and Boots.  

Over the last week, Clop has been posting the names of those companies it claims to have accessed, pressurising them into paying a ransom.  So far, around 50 victims have been shared, but none of the ‘big names’ have been posted by Clop. And, according to the BBC, Clop is now claiming that: “We don’t have that data and we told Zellis about it. We just don’t have it. We are an old group and have never deceived anyone, if we say that we do not have information, then we do not have it,” 

Following the statement by Clop, the BBC has put forward several possibilities for what has happened to the stolen data. These are:   

  • Another, unknown hacker gang has the stolen Zellis data  
  • Clop is lying 
  • Clop has already sold the data to another group of cybercriminals (Clop denies this) 

Zellis has yet to respond to Clop’s announcement, stating only that: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.” 

If Clop is telling the truth, then the affected Zellis clients could be at greater risk than was initially thought. The situation is suddenly less certain as nobody knows where the stolen data is.  

At KP Law, our cyber experts have been investigating the MOVEit data breach for a few weeks now. From what we have been able to establish, the software was flawed on many different levels, so it is quite likely that more than one hacker group was able to infiltrate it.  

Who is responsible for your data?

This is a good question, and it is a tricky one to answer. Because while it was MOVEit that was hacked, organisations – including employers – are responsible for the security of their personal data.   

One thing is certain, regardless of which cybergang now has the stolen data from Zellis, affected Boots, BA and BBC employees are at risk. 

If you receive notification that you are affected by this data breach, register below to make a no-win, no-fee compensation claim. 

In March 2024, our firm changed its name to KP Law. 

Share this article: