British Airways (BA) has revealed all its staff who are paid in the UK have been caught up in a cyber incident that has exposed personal data including bank and contact details to hackers.
It emerged last week that a so-called zero-day vulnerability – a flaw – in the file transfer system MOVEit, produced by Progress Software, had been exploited by cyber criminals.
It had allowed the hackers to access information on a range of global companies using MOVEit Transfer.
UK-based payroll provider Zellis confirmed on Monday that eight of its clients had been affected by the attack.
It did not name the organisations but BA later confirmed that it was among them.
The airline has 34,000 UK employees.
The Telegraph newspaper reported that the BBC and Boots were also among those to have been caught up in the hacking which, it added, was being linked to a Russia-based group.
The compromised information includes contact details, national insurance numbers and bank details.
BA told Sky News: “We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.
“Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.
“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”
Zellis said in its own statement: “A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product.
“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.
“All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”