back to article British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack

British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app. Microsoft reckons the Russian Clop ransomware crew stole the information. British Airways, the BBC, and Boots …

  1. VoiceOfTruth

    Nice aggregation of numbers, truthful, but...

    -> a small number of our customers

    Yeah. But how many actual people? BA has about 35,000. The BBC and Boots are well into the tens of thousands extra.

    -> another major supply chain attack

    Hmm. It almost seems like the supply chain is not very secure.

  2. Anonymous Coward
    Anonymous Coward

    We use Zellis for our payroll. I presume MoveIT is used for secure FTP feeds to integrate payroll with other corporate systems. Given that most companies will not operate payroll siloed I can imagine this breach affecting more customers than is implied.

    1. A random security guy

      I expect the infiltration to spread to more than the payroll system they initially attacked. There is something else that happens when the number of victims is very large: the hackers have a hard time extracting information of value from all of them. I remember working with a company last year which had been potentially breached but we found that the hackers had merely probed but not gone further because there were far juicier targets to exploit.

      So you may be safe (r). Depends on your specific situation ...

      1. katrinab Silver badge
        Meh

        As far as I can see, it wasn't the actual payroll system that was attacked, it was the system they use to transfer time sheets, new employee detail forms and that sort of thing to the payroll people.

  3. Anonymous Coward
    Anonymous Coward

    Ahhhhh outsourcing

    It will save so much money…..

    1. Derezed
      Flame

      Re: Ahhhhh outsourcing

      What's your point? They still "saved" the money...all that's happened is all of their employees personal data is all over the internet...no biggie...a year's supply of Experian credit checker will be enough to sort all that out.

      The cost to the business of this breach is...zero. They don't care.

  4. Anonymous Coward
    Anonymous Coward

    SQL injection flaw

    Hidden layers of legacy software? Cut and paste by a foreign outsourcing company, or maybe the result of state of the art generative AI? That's some dumb shit.

    Time to change your underwear (aka pants/knickers).

    1. Pier Reviewer

      Re: SQL injection flaw

      Legacy? Sadly parameterising queries *still* isn’t done every time :( Even where it is, dumb stuff happens. The other week I was reviewing some code. DB interaction looked reasonable on the surface - all the queries were parameterised so it was safe right? Wrong :(

      They were calling stored procedures safely, but the SPs were then concatenating input and EXEC’ing it ^^.

      It’s a fairly common pattern sadly - Java/.Net/whatever devs do their bit safely, but then the data team who write the SPs do random **** like it’s 1995. Neither team knows or understands what the other team is doing so you end up with trivially discoverable and exploitable SQLi.

      1. EnviableOne

        Re: SQL injection flaw

        which is the entirely expected problem with agile methodology ("my bit works")

        1. Paul 195

          Re: SQL injection flaw

          That's not a problem with agile. That's a problem with silos. Anyone who understands agile development (by which I don't mean, anyone who has one of the many industry "qualfications" in agile) is trying to break down silos and get people in different teams to f****ing talk to each other.

          1. Anonymous Coward
            Anonymous Coward

            Re: SQL injection flaw

            You don't need agile for people to get out of silos and talk to each other, you need an environment where a cross-discipline team is put together to work on a project, and the experts in one field are ready to tolerate the "stupid" questions from people who are experts at something completely different, so that they're not afraid to ask the questions that aren't stupid and have implications for everyone. I work in engineering, and the most successful projects are the ones where the electronic specialists, the thermal specialists, the structural specialists and the guys putting the CAD together talk all the time without having to call a project meeting to do so.

            1. Paul 195
              Joke

              Re: SQL injection flaw

              You've described very well the kind of teams we try to build and foster when coaching organizations in being effective at software development. Agile's main problem these days is the industry that's grown up around it pushing all sorts of convoluted practices. The other big problem is Jira.

      2. Missing Semicolon Silver badge

        Re: SQL injection flaw

        It sounds like the stored procedures were written to explicitly evade SQL concatenation detection.

  5. Binraider Silver badge

    Spreadsheets left in the wrong place by any chance?

    Or middleware integration gone wrong?

    In either case, kudos to the cleanup crew that will have to deal with (another) mess probably caused by someone else that won't feel the pain they've created.

    1. Hans 1

      SQL injection ...

  6. miken101

    Working through the alphabet?

    Is it just British Airways, Boots & BBC or has reporting not addressed the rest of the alphabet yet?

  7. Hans 1
    Angel

    Cloudy systems, hack one system, gain multiple customers' data ... in this case, seems they noticed quickly ...

    1. Derezed

      ...or did they? The truth will out.

  8. Anonymous Coward
    Anonymous Coward

    How much to have them add a zero to the end of my pay?

    Certainly 1 way to garner public sympathy.

    Other wise they can go and do 1.

    In other news, the bbc has told its staff what info was leaked

    https://order-order.com/2023/06/06/bbc-admits-national-insurance-numbers-and-addresses-stolen-in-data-breach/

    Anon because some people get upset about guido for some unknown reasons that seem to be about silencing free speech or something

  9. Dropper

    Nothing will change

    As there is no meaningful consequence to losing personal information, this will continue to happen and the victim will continue to get absolutely no help whatsoever.

    Except for the pointless credit monitoring, which just tells them how fucked they are.

    So you have credit monitoring, someone uses your information to open a credit account and it dings on your monitored credit report 2 months later.

    What fast, simple and painless method does the victim have to have that account closed and removed from their credit?

    What consequence that actually compensates the victims and punishes the lax security does the company that allowed the breach suffer?

    If a victim gets a mortgage, and their interest rate is increased 2% because their credit is now shit, who do they contact to receive monthly payments for up to 30 years to refund the difference between the rate they got and the rate they would have received?

    Funny how none of this is even a consideration. No, you get credit monitoring. Woo-fucking-hoo.

  10. wolfetone Silver badge

    This story isn't new, how many times does it happen a week? Surely now is the time to think how best to hold user data. Stick it in a silo that a lot of resources can be used to protect the data there. The alternative right now is everyone rolls their own and then don't give two shits about protecting it.

  11. Mr Dogshit
    FAIL

    I'm glad to hear Progress takes the security of their customers very seriously.

    What does this MOVEit do anyway that Robocopy can't do?

  12. Dunstan Vavasour
    Facepalm

    Lessons will be learned

    I'm confident that lessons will be learned and procedures put in place to make sure this can never happen again until next time.

  13. I should coco

    Ah! You see, Moveit offer additional layers of security, support, helpdesk and errr... oh. No they don't.

  14. hatti

    DIdo

    Where's Dido Harding when you need her?

  15. Anonymous Coward
    Anonymous Coward

    Good to see that IBM are not affected, even though they are the supplier to the BBC and subcontracted the payroll job out to Zellis. Obvs they did not trust Zellis with their own information

  16. Screwed

    And spam?

    In the last five or six days, I've received spam purporting to be from Boots (but clearly not if you look at the headers) - to an email address I used for communicating with Boots customer services.

    Keep wondering if this hack is why it has started.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like