The multiple told C+D today (June 6) that the incident “affected a third-party software” called MOVEit, used by one of the multiple’s payroll providers, Zellis.

 

The “global data vulnerability” included some of the multiple’s “team members’ personal details”, a Boots spokesperson said.

 

“Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware,” they added.

 

Read more: Lloydspharmacy vows to take action after media reports of customer data breach

 

They stressed that the issue is affecting many companies globally.

 

It remains unclear how many team members were affected and whether it affected all Boots branches including both corporate and pharmacy staff – as well as what personal data was exposed.

 

Boots also did not clarify when the incident happened, when the multiple became aware of it and when it was rectified.

 

 

Cyber attack?

 

 

A statement published by MOVEit on May 31, last updated yesterday (June 5), said that a “critical vulnerability” identified in the software “could allow an unauthenticated attacker to gain access to MOVEit Transfer's database”.

 

It has been reported that a cyber attack on the data may have originated in Russia.

 

Read more: Revealed: Almost 50 data breaches involving pharmacies in 16 months

But payroll provider Zellis stressed that so far, investigations have not found any evidence of any information being released publicly or being used illegally.

 

 

“Ongoing monitoring”

 

 

A spokesperson for Zellis confirmed to C+D today that “a large number of companies” worldwide were “affected by a zero-day vulnerability” in MOVEit, which is owned by Progress Software.

 

Zellis is “actively working to support” the “small number” of its own customers that were impacted by the “global issue”, they said.

 

Read more: What you need to know about new patient data safety recommendations

The payroll provider took “immediate action” once it became aware of the incident, “disconnecting the server” that uses MOVEit software and “engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring”, they added.

 

Zellis also notified the Information Commissioner’s Office (ICO), Data Protection Commission (DPC) and the National Cyber Security Centre (NCSC) in the UK and Ireland, the spokesperson said.

 

 

“Robust security processes”

 

 

“We employ robust security processes across all of our services and they all continue to run as normal,” they told C+D.

 

All Zellis-owned software is “unaffected” and there are “no associated incidents or compromises to any other part” of its IT estate”, they stressed.

 

It comes as Lloydspharmacy launched an investigation in April following claims in the media that it shared customer data with TikTok and Facebook for targeted advertising.