Tens of thousands of employees of British Airways, the UK drugstore chain Boots and the BBC were among those who had their personal data exposed following a wide-ranging breach centered on a popular file transfer tool, the organisations confirmed.
BA, the BBC and Boots said the breach occurred at their payroll provider, Zellis. The provincial government of Nova Scotia, in Canada, was also hit by the breach.
The data from Zellis and the Nova Scotia government was exposed through their use of the MOVEit file transfer software, both organizations said in separate statements.
Zellis declined to say how many customers were affected.
The Nova Scotia government did not immediate return a request for comment. In a statement, Nova Scotia’s Cyber Security and Digital Solutions Minister Colton LeBlanc said his residents “will have questions, and we do, too.”
British Airways said it had notified affected employees and was providing them with support. Boots, part of Walgreens Boots Alliance, said the attack had included some of its employees’ personal details.
The BBC said it was working with Zellis “as they urgently investigate the extent of the breach.”
MOVEit has been at the centre of security industry concerns after its maker, Progress Software, disclosed a flaw last week that could have allowed hackers to intercept data being exchanged through the program.
Microsoft said it believed the group behind the hacks was “Lace Tempest” – the nickname assigned to online extortionists who run the cl0p ransomware site.
In an email to Reuters, the “cl0p team” confirmed it was responsible for the breaches, saying “it was our attack” and that victims who refused to pay would be named on its website. The group did not immediately respond to a request for more details.
Boots employs over 50,000 people in Britain. British Airways has about 30,000 staff, and the BBC employs more than 21,000 people.