Boots yesterday (June 6) confirmed that it has been hit by a “global data vulnerability” that included the personal details of some of its staff.

It said that the incident “affected a third-party software” called MOVEit, used by one of the multiple’s payroll providers, Zellis.

Read more: UPDATED: Boots hit by ‘global data vulnerability’ affecting staff members’ personal data

MOVEit said that a “critical vulnerability” identified in the software “could allow an unauthenticated attacker to gain access to MOVEit Transfer's database”.

Today (June 7), the BBC reported that Boots staff member data was in fact compromised, and that cybercrime gang Clop was behind the hack.

 

Criminals issue ultimatum

 

The BBC said that after breaking into MOVEit, the “criminals” were able to access the databases of “potentially hundreds” of companies. 

Clop published a notice on the dark web, “warning” the companies affected by the MOVEit hack – which includes Boots - to “email them before June 14 or stolen data will be published”, the BBC added.

Read more: Lloydspharmacy vows to take action after media reports of customer data breach

“More than 100,000 staff at the BBC, British Airways and Boots have been told payroll data may have been taken”, but employers have been “urged” not to pay if the “hackers demand a ransom,” the news giant said.

It remains unclear how many Boots team members were affected and whether it affected both corporate and pharmacy staff.

 

“Prolific cybercrime gang”

 

According to the BBC, the “prolific cybercrime gang” is “thought to be based in Russia”.

It said that “cyber security research previously suggested that Clop could be responsible for the hack”, which runs as a "ransomware as a service" group, meaning hackers “can rent their tools to carry out attacks from anywhere”.

Read more: Revealed: Almost 50 data breaches involving pharmacies in 16 months

And it claimed that Payroll provider Zellis has confirmed that eight UK organisations including Boots have been “breached” and had data “stolen” – “including home addresses, national insurance numbers and, in some cases, bank details”.

However, the BBC stressed that “not all firms have had the same data exposed”.

 

“Suspicious activity” identified last month

 

MOVEit also confirmed that the vulnerability it had identified in its software was exploited.

Its owner Progress Software said in a post last updated on June 2 that the MOVEit technical support team “received initial customer calls indicating suspicious activity on May 28”.  

It confirmed that it identified a “staged exploit” in its system but said that it did not find “any evidence that the exploit was activated or used by malicious parties” to remove data.

However, it stressed that “the investigation remains ongoing”.

Read more: What you need to know about new patient data safety recommendations

A blog post published by Progress on Monday (June 5) added that Microsoft’s Threat Intelligence team is partnering with it in the investigation.

It said that the team attributed the “exploit of [the data] vulnerability to a threat actor they track as Lace Tempest, a sophisticated cybercriminal group”.

But it added that the company has “not yet confirmed that information independently”.

 

“Immediate mitigation”

 

A MOVEit spokesperson told C+D yesterday evening (June 6) that after discovering the vulnerability, it “promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps”.

“We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours,” they said.

Read more: UPDATED: Boots CFO Michael Snape quits after five years in role

They added that they have “implemented a series of third-party validations to ensure the patch has corrected the exploit”.

MOVEit is “continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures”, the spokesperson said.

“We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products,” they added.