Now Reading
British Airways Caught Up in Massive Payroll Data Breach After ‘Cybersecurity’ Incident Hits Supplier

British Airways Caught Up in Massive Payroll Data Breach After ‘Cybersecurity’ Incident Hits Supplier

british airways. Photo Credit: Arie Wubben via Unsplash

British Airways has been caught up in a massive data breach of highly personal information belonging to thousands of its employees after a ‘cybersecurity’ incident hit a third-party supplier of payroll support services.

In a statement, the airline said the supplier discovered it had experienced a cybersecurity incident over the weekend that compromised a raft of personal data, including bank account details, national security numbers, home addresses and dates of birth of its employees.

British Airways is one of a number of companies that uses software provided by Bristol-based Zellis UK Ltd to manage its payroll systems, who confirmed that a “small number” of its customers had been hit by the data breach.

A spokesperson for British Airways told us that the breach had been traced to a so-called zero-day vulnerability in a popular filer transfer tool called MOVEit which is made by Progress Software.

“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool,” a statement from the airline explained. “We have notified those colleagues whose personal information has been compromised to provide support and advice”.

British Airways’ parent company has tasked its Security Operations Centre to try to contain the breach and to “mitigate the misuse of information”. Zellis said it was “actively working” to support customers hit by the data breach.

“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,” the company told us.

Zellis also said that it had reported the matter to law enforcement and the Information Commissioners’ Office.

A spokesperson for the ICO confirmed that it had been notified of a data breach and that it was “assessing the information provided”. The ICO has the power to investigate businesses for data law breaches and, in serious cases, can impose fines of up to £17.5 million, or 4% of a company’s total worldwide annual turnover.

The ICO proposed a record £180 million fine against British Airways following a 2018 data breach that involved the personal details of 400,000 customers and employees being compromised after hackers gained access to the airline’s booking systems.

Following a lengthy appeal, the ICO lowered the fine to £20 million after taking into account the financial impact that the pandemic had levelled on British Airways. The information commissioner slammed British Airways for its “unacceptable” failure to protect its customer’s data.

Zellis manages payroll services for around 5 million employees and counts 42% of FTSE 100 companies among its customers. Aer Lingus, Dyson, Harrods, Sky and Jaguar are listed as Zellis users.

View Comments (0)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2023 All Rights Reserved.

Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to with appropriate and specific directions to the original content.