The personal data of BBC and British Airways (BA) staff has been compromised in a cyber incident affecting their payroll provider, Zellis. While the extent of the breach is being urgently investigated, the BBC stated that employees’ bank account details are not believed to be compromised.
BA confirmed being impacted by Zellis’ cybersecurity incident, which exploited a zero-day vulnerability in the MOVEit file transfer tool.
Zellis, a payroll processor, handles data for multiple companies, and the total number of affected entities could be higher than reported.
Clients such as Jaguar Land Rover, Iceland, Dyson, and Aer Lingus, who rely on Zellis’ HR and payroll support services, may also be impacted. However, Zellis assured that no financial or bank details were compromised.
The MOVEit vulnerability has affected numerous companies globally, with a significant number impacted by this incident. Zellis has taken immediate action, disconnected the affected server and engaged external experts for forensic analysis and ongoing monitoring.
They have also reported the breach to data protection authorities and national cyber security centers in the UK and Ireland. Further updates will be provided as the investigation progresses.
