IAG-owned British Airways, the UK pharmacy chain Boots and the BBC told thousands of staff that personal information, including bank details and social security numbers may have been compromised in a data breach at Zellis, a payroll provider used by hundreds of companies in Britain.

Zellis said a “small number of customers” have been impacted in an incident involving a vulnerability on MOVEit software.

“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,” the company said in a statement.

The BBC, Boots and British Airways have all confirmed they have been impacted, with the BBC telling staff that ID numbers, dates of birth, home addresses and National Insurance numbers were compromised in the incident. British Airways personnel have also been told their banking details may have been stolen. Boots confirmed that the breach affected some of its 50,000 staff members' personal details, although bank details appear to be not impacted.

Earlier this month, reports emerged that threat actors are attempting to steal data from organizations using a previously unknown flaw in MOVEit MFT. The zero-day bug is an SQL injection vulnerability that could lead to escalated privileges and potential unauthorized access to the environment. All MOVEit Transfer versions are said to be affected. The software maker released MOVEit Transfer 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, and 2021.0.6 to address the issue. The company urged customers to disable all HTTP and HTTPs traffic to their MOVEit Transfer environment.

Following the public disclosure multiple security agencies and cybersecurity firms, including the US Department of Homeland Security, the UK National Cyber Security Centre, Microsoft, and Google-owned Mandiant released alerts to warn about the mass exploitation of the MOVEit MFT zero-day vulnerability.

Microsoft’s threat intelligence team attributed the attacks on MOVEit MFT software to a group it tracks as “Lace Tempest”, known for running ransomware operations and the Clop ransomware extortion site.

Mandiant said it also observed at least one threat actor associated with Clop recently seeking partners to work on SQL injections.

On Monday, the Clop ransomware gang took responsibility for the attacks. In an email to Reuters the threat actors confirmed that it “was our attack” and that victims who refused to pay a ransom would be named and shamed on the group's website.

More and more organizations are now confirming that they have been impacted by the MOVEit supply chain attacks. Several companies and the government of the Canadian province Nova Scotia said that they were dealing with breaches related to the MOVEit secure file transfer software.