Yahoo News MOVEit hack: 'Many more' UK workers payroll details at risk, expert warns
A cybersecurity expert has warned there could be "many more victims" in the coming weeks after a gang of Russian cyber criminals hacked payroll details of more than 100,000 workers.
Earlier this week the UK’s leading payroll provider Zellis said eight of its customers were impacted by the “global issue”, which may have exposed personal information, including names, addresses, and banking details.
More than 100,000 staff at the BBC, British Airways and Boots have been told that their bank details and addresses may be exposed on the "dark web".
The gang has issued a ransom to companies including the BBC, Boots and British Airways, and an expert has warned thousands more may be at risk.
The gang - who goes by the name Clop - has since reportedly issued an ultimatum to companies affected, warning them to email the criminals before 14 June or stolen data will be published.
Also targeted in the attack were the payrolls of Aer Lingus, Nova Scotia Government and the University of Rochester.
Ciaran Martin, chairman of CyberCX UK, said Clop's demands were unusual due to the scale of the hack and warned there could be more victims to come.
Martin urged the companies not to respond to the apparent ransom demand, saying "to do that would be paying for a promise from a gang of criminals".
"What needs to happen now," he told Yahoo News, "is that everyone affected and potentially affected becomes hyper-vigilant, and nobody gives in to the hackers' demands".
He said: "Nothing could have been done to protect against this, the flaw was unknown."
He added: "There are three tiers of victim here - MOVEit, Zellis, and companies such as BA who used Zellis - and it is unlikely to end with the companies we have heard of so far.
"I would expect many more victims to emerge in coming weeks."
What happened and who is responsible?
Clop appears to have exploited a previously unknown flaw in the software system MOVEit, which is used by thousands of companies globally.
One of these is the UK’s leading payroll provider Zellis, which processes salary payments for bodies such as British Airways, Aer Lingus, Boots and the BBC.
Clop - a group of Russian cybercriminals - are thought to have orchestrated the hack over a period of several weeks.
In fact, Martin told Yahoo News UK that 74% of cyber ransom payments can be traced back to Russia.
"Russia provides a safe haven for the largest concentration of cyber criminals in the world," he warned.
"The Russian authorities are quite happy for them to sit there and do bad things as opposed to - for example - if there was a big gang of organised cyber criminals based in the UK or US, terrorising the world with cybercrime, the police here would do something about it.
"The Russians don't do anything about it. If we ask for their help, it is unconstitutional for the Russian state to extradite anybody, so they've got safe haven. So they can sit there hacking away with no comeback. And they make an awful lot of money."
Read more: Who are the Clop Gang? Russian hackers behind the BBC, BA, Boots cyber attack are on a rampage
How could it affect me?
Many more UK companies use MOVEit and Zellis so it is possible more victims will emerge.
It is believed the details that have been retrieved by the criminals are bank details and addresses, so there is not an immediate risk, but employees of any company using MOVEit or Zellis are more at risk of personalised scams.
Patches to address the vulnerability discovered in the software were offered within 48 hours.
How do hackers make money?
Martin says there are four ways cyber criminals make money:
Ransomware. Blocking access to accounts or software and demanding a ransom for the user to regain access.
Stealing personal data such as bank cards and draining accounts of money.
Overtly - as in the MOVEit case, the criminals have issued a statement of extortion asking victims to contact them and pay money in order to prevent data being published.
Covertly - by selling data or by orchestrating targeted scams.
How can I protect myself against cyber attacks?
Prior to his role at CyberCX, Martin founded the National Cyber Security Centre and worked directly with five British prime ministers advising on the prevention of cybercrime.
He now advises governments and businesses on protecting against cybercrime, but said that individuals need to be just as vigilant.
"No official body, bank or company will ever ask for money over the phone," he said. "As these scammers only have people's bank details they cannot take money from accounts, but they can personalise scams to directly target people as if it were their bank contacting them.
"Always check the email address correspondence is sent from. If somebody calls you, hang up and call back the official number, or even visit your local branch."
Martin said the sheer number of accounts could mean they have too many to work through individually, which is why they are asking the data owners to pay them money to stop them from sharing. But he said even if data is shared, it is often "in a dark corner of the web" so people "should not panic about their data, but be prepared for targeted scams".
He added that while the Russian scammers are not reprimanded for stealing from people outside of the country, the Russian government would come down heavily on anyone who stole from within the country.
Should we prepare for more?
Yes, and Martin says that although there is nothing that can be done to stop the hackers, individuals and governments can ensure they are prepared for when it happens.
"Know how much information you put out about yourself," he advises. "All of that is in your control.
"When you work for somebody, or you buy a concert ticket, and enter bank details, there's nothing you can do to protect them, but that's why we have data protection regulations.
"But what can the ordinary person do about it? In terms of guarding against this in the future?
"Nothing.
"You can't do anything about this as an individual but if you think you might be affected what you can do is to be extra vigilant over the coming weeks and months."
