This week, it was discovered that cybercriminals had exploited an ongoing vulnerability in Progress Software’s MOVEit file transfer app to infiltrate the systems of payroll company, Zellis. According to its website, 42% of the FTSE 100 are Zellis customers and over £28bn is paid each year through its Managed Services.
This eventually led to a widespread ransomware attack impacting at least eight customers including the BBC, British Airways, Aer Lingus and Boots; all of whom have been given an ultimatum to begin ransom negotiations before the 14th of June or see hundreds of thousands of their employees’ data published online. Data stolen comprises of national insurance numbers, home addresses and even bank details.
Russian ransomware gang, Clop, have taken responsibility for the attack and have suggested that they have information on hundreds of companies.
Commenting on the news, Simon Newman, Advisory Council member of International Cyber Expo said:
“Many larger organisations have invested heavily in boosting their own cyber security over the past few years, making it more difficult for cyber-criminals to find a way in. As a result, cyber criminals are increasingly shifting their focus onto supply chains which are often long and complex.
The ability to compromise the security of a supplier not only provides a potential back door into larger organisations, but as the third party is likely to provide products or services to other companies as well, it means that the scale and the scope of the attack is far greater.
Despite this, according to the Cyber Breaches Survey 2023, only 13% of businesses regularly review the risks posed by their immediate suppliers. The National Cyber Security Centre (NCSC) recently published new guidance on supply chain security to improve awareness and promote the adoption of good practice.”
Ray Kelly, Fellow at Synopsys Software Integrity Group added:
“This is a significant breach that demonstrates the importance of the software supply chain when it comes to data privacy. In this incident, a single vulnerability in a piece of software run by a third-party vendor led to the compromise and exposure of personal employee data across multiple organisations that the vendor services. The depth of this breach is still being investigated, but it will be interesting to see how GDPR will assess fines for the various organisations involved in this incident, as the software supply chain aspect certainly complicates matters.”
Moreover, Newman cautions the affected companies against paying the ransoms, concluding:
“Paying ransoms to cyber criminals does not guarantee that all the data will be returned. In fact, in most cases, it’s extremely rare and may simply expose you to further ransomware attacks in the future.”