The BBC, British Airways and Boots have warned staff that swathes of personal data were stolen in a massive cyber attack on their payroll provider.
Zellis, which also provides payroll services for the NHS and Jaguar Land Rover, confirmed on Monday that staff of eight companies had been affected by the breach, in which hackers exploited a vulnerability in a third-party file transfer system, MOVEit.
The firm did not identify all of the companies targeted, but the BBC, British Airways and Boots all confirmed they were hit.
British Airways wrote to staff members paid in the UK on Monday to confirm the incident, thought to have exposed personal data including names, addresses, national insurance numbers and banking details.
A BA spokesperson said: “We have been informed that we are one of the companies impacted by Zellis’s cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.
“Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.
“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”
Boots also confirmed it had been affected, while a BBC spokesperson said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”
A spokesman for Zellis said: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.
“All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.”
A spokesman for the Information Commissioner’s Office confirmed the company “has made us aware of an incident and we are assessing the information provided.”