British Airways has been caught up in a massive data breach of highly personal information belonging to thousands of its employees after a ‘cybersecurity’ incident hit a third-party supplier of payroll support services.
In a statement, the airline said the supplier discovered it had experienced a cybersecurity incident over the weekend that compromised a raft of personal data, including bank account details, national security numbers, home addresses and dates of birth of its employees.
British Airways is one of a number of companies that uses software provided by Bristol-based Zellis UK Ltd to manage its payroll systems, who confirmed that a “small number” of its customers had been hit by the data breach.
A spokesperson for British Airways told us that the breach had been traced to a so-called zero-day vulnerability in a popular filer transfer tool called MOVEit which is made by Progress Software.
“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool,” a statement from the airline explained. “We have notified those colleagues whose personal information has been compromised to provide support and advice”.
British Airways’ parent company has tasked its Security Operations Centre to try to contain the breach and to “mitigate the misuse of information”. Zellis said it was “actively working” to support customers hit by the data breach.
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,” the company told us.
Zellis also said that it had reported the matter to law enforcement and the Information Commissioners’ Office.
A spokesperson for the ICO confirmed that it had been notified of a data breach and that it was “assessing the information provided”. The ICO has the power to investigate businesses for data law breaches and, in serious cases, can impose fines of up to £17.5 million, or 4% of a company’s total worldwide annual turnover.
The ICO proposed a record £180 million fine against British Airways following a 2018 data breach that involved the personal details of 400,000 customers and employees being compromised after hackers gained access to the airline’s booking systems.
Following a lengthy appeal, the ICO lowered the fine to £20 million after taking into account the financial impact that the pandemic had levelled on British Airways. The information commissioner slammed British Airways for its “unacceptable” failure to protect its customer’s data.
Zellis manages payroll services for around 5 million employees and counts 42% of FTSE 100 companies among its customers. Aer Lingus, Dyson, Harrods, Sky and Jaguar are listed as Zellis users.
Mateusz Maszczynski honed his skills as an international flight attendant at the most prominent airline in the Middle East and has been flying throughout the COVID-19 pandemic for a well-known European airline. Matt is passionate about the aviation industry and has become an expert in passenger experience and human-centric stories. Always keeping an ear close to the ground, Matt's industry insights, analysis and news coverage is frequently relied upon by some of the biggest names in journalism.