British Airways, BBC, Others Hit by Cyberattack

Several of the U.K.’s largest companies have been hit with a cyberattack that compromised the personal data of tens of thousands of employees.

The attack is anticipated to spread to the U.S., with the full reach not yet clear.

The Russian-speaking perpetrators, operating under the name Clop, issued the companies an ultimatum on June 7, telling victims to email them by June 14 or else their personal information will be published online. 

British Airways, Boots and the BBC are among the companies impacted, with the privacy breach hitting the software MOVEit used by U.K. payroll provider Zellis. 

Aer Lingus and the University of Rochester have also reportedly been hit by the attack, while the government of Nova Scotia released a statement saying some citizens’ personal data may have been compromised.

The statement said staff are working to determine what information was stolen, and how many people have been impacted. 

Several U.S. companies use the same MOVEit software and concerns have arisen that the attack could have already extended to those businesses.

The Cybersecurity and Infrastructure Security Agency (CISA) released a statement on June 1 warning of the vulnerability in MOVEit Transfer.

“A cyberthreat actor could exploit this vulnerability to take over an affected system,” the agency said. “CISA urges users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates and hunt for any malicious activity.”

This is not the first time Clop has emerged as a significant cyberthreat, with several hackers thought to be working in the group arrested after causing an estimated half a billion dollars in losses from victims around the world.