Payroll Provider Zellis Falls Prey to MOVEit Transfer Breach

Zellis, a payroll provider serving the UK and Ireland, and some its customers have been impacted by the exploitation of a zero-day vulnerability in the file transfer tool MOVEit. Microsoft security researchers have attributed the attack to Lace Tempest, a group affiliated with Clop ransomware. The group responsible has posted a warning to the impacted companies on the dark web: Get in touch by June 14 or the stolen employee data will be published, BBC News reports.

How can Zellis customers respond, and what can other enterprises do to manage their third-party risk?

The Attack

Progress Software offers the MOVEit file transfer software. On May 31, the company discovered a vulnerability (CVE-2023-34362) in MOVEit Transfer and MOVEit Cloud. “This zero-day vulnerability can grant escalated privileges and unauthorized access, which can lead to exfiltration of sensitive data and eventual monetization of that data through dark web markets and other means, including ransomware,” John Ghose, partner with privacy and cybersecurity firm VeraSafe and former federal cybercrime prosecutor, tells InformationWeek.

Zellis confirmed in a brief statement “… that a small number of our customers have been impacted by this global issue and we are actively working to support them.” The National Cyber Security Centre reports that eight Zellis customers have been impacted, including public service broadcaster BBC, pharmacy chain Boots, airline British Airways, and airline Aer Lingus. Thousands of employees could be impacted.

The Response

A security patch is now available to address the vulnerability. Progress published steps for recommended remediation and a blog post outlining the steps it is taking to protect its customers. The software company is urging its customers to download the patch and to search for any signs of unauthorized access within their environments.

“All customers should implement prudent scans of their network and infrastructures to identify if any potential signs of compromise or unauthorized access have occurred -- informing if remedial and immediate action is needed,” says Jeremy Ventura, director of security strategy and field CISO at API security company ThreatX.

The impacted companies will also need to take steps to protect their employees. “If a company suspects that its employee data could be comprised, the organization should immediately inform its employees because they are the eyes of the company and can provide valuable information concerning suspicious activity,” says Caroline Morgan, privacy and data security attorney and partner at full-service law firm Culhane Meadows.

In an emailed statement, British Airways noted that it has “notified those colleagues whose personal information has been compromised to provide support and advice.”

Understanding and Mitigating Third-Party Risk

Enterprises operate in a connected environment, and risk comes with that connectivity. The strength of vendor cybersecurity is just as important as an organization’s internal cybersecurity. “As more organizations rely on third-party tools or services, the ‘blast radius zone’ of their security threats increases exponentially, causing unintentional negligence in underestimating all possible attack points,”Venturaexplains.

The consequences of third-party breaches have a ripple effect. In 2022, 63 third-party breaches led to 298 cascading data breaches, according to the Third Party Breach Report from cyber ratings platform Black Kite.

“This software breach may have severe setbacks including loss of sensitive information, financial damages, reputation harm, and potential legal liabilities not just on Zellis, but also its high-profile customers (e.g., BBC, British Airways, and Boots) and their end users,” says Ventura of the MOVEit attack.

Third-party vendors are a vital consideration for companies’ risk management strategies. Morgan recommends reviewing third-party contracts to ensure vendors have appropriate security standards. “Familiarize yourself with indemnity clauses and applicable exceptions,” she says. “If your contracts do not contain the clauses you need or you want to beef up what you have, seek an amendment or consider a more robust vendor.”

But managing third-party risk doesn’t necessarily end with a strong contract. “Although it can be tempting to kick back and let your vendor be in the driver’s seat, staying active within your industry to learn what other companies are experiencing and doing to combat threats, and staying vigilant by monitoring for unauthorized access and atypical downloads, is worth the investment of time,” says Morgan.

Although rigorous due diligence can reduce third-party risk, Ghose notes that “… zero-day flaws are notoriously hard to detect because, by definition, they are novel.”

While organizations working with third-party vendors must remain vigilant, regulation may shift more responsibility onto vendors’ shoulders. Ghose points to the United States National Cybersecurity Strategy, which includes a strategic objective to shift liability to vendors that “fail to take reasonable precautions to secure their software.” “It will be interesting to see whether this strategic objective, if employed, can reduce the number of software products that contain vulnerabilities,” Ghose says.

What to Read Next:

Former Uber CSO Joseph Sullivan on His Trial and the Future

Breach Takes Systems Down Across Western Digital

Data Breach Settlement: Manufacturing Company to Pay $1.75M to Employees