A few months ago, British Airways, BBC and Boots all suffered cyber security breaches where the hackers exploited a vulnerability in MOVEit Transfer software to access a range of information. This led to thousands of staff from a growing number of UK firms having their personal data, including bank and contact details, exposed.
A ransomware group named Clop claimed responsibility for the cyber security breaches centred around the MOVEit file transfer software. A so-called zero-day vulnerability, which is essentially a flaw in the file transfer system MOVEit was exploited by cybercriminals. It allowed the hackers to access information on a range of global companies using MOVEit Transfer.
UK-based payroll provider Zellis confirmed that eight of its clients were among the firms affected, which included British Airways.
Which organisations could be next and why (companies that outsource data-sensitive processes i.e. payroll, HRIS, onboarding etc.)?
Phishing continues to pose the greatest threat to businesses. In terms of who could be next, it could be any company with a large database of client or employee information that is combined with financial details, such as credit card information or bank account details. This is why airlines have been a target recently but accountants, solicitors, insurance companies and online retailers are also sectors that are commonly attacked.
Many also believe that ransom attacks will increase. Companies can simply be targeted and held to ransom when they rely on their data to function, which could affect any company where they have predominantly digitalised their work.
What should be done process and security-wise to prevent further cyber security breaches or more personal details being stolen?
Expert advice on IT security, building security, appropriate procedures, training and compliance with UK GDPR should be sought by every organisation without delay. Businesses still assume it will not happen to them when, in reality, every organisation could be a target.
Whilst taking proactive steps will not provide guaranteed protection against a cyber incident – as demonstrated by high-profile companies like British Airways being successfully targeted – it will ensure that your organisation is in the best place to be proactive and react quickly and efficiently if needed.
If you have been prepared but are still unlucky enough to be a victim of a cyber incident, you will have well-trained staff who know what is expected of them and what steps to take.
If organisations are unsure where to start, there are professionals available who can guide them through the process of making sure they are prepared, as well as acting as an emergency service when the worst happens.
The East Midlands Cyber Resilience Centre is a free-to-access, police-associated organisation, that can assess the effectiveness of a company’s cyber resilience. They can also signpost businesses to appropriate individuals in their area to then act and plug the gaps in their processes, equipment and software.
Should businesses be more wary of who they outsource HR processes to – what should they be looking for when they do use third-party vendors?
As many internal HR functions such as payroll are being outsourced, businesses need to ensure that due diligence is performed.
All businesses that are outsourcing to third-party suppliers should be asking them what security protocols and controls are in place and what happens if an incident occurs. These responses should then be reviewed by an independent cybersecurity expert.
An understanding of the differences between data protection and cybersecurity is also essential. Under UK GDPR, the data controller is responsible for its compliance and the compliance of its data processor. In cases of outsourcing, the third party is the data processor. Businesses can mitigate risks when using third-party vendors by ensuring they are GDPR compliant, thoroughly vetting all third-party vendors and partners, and regularly auditing third-party security controls.
What do organisations need to do to ensure they look after their people’s data? What happens to affected staff?
Appropriate IT systems, training and procedures will give the best chance of protection but are not infallible. If the worst does happen, advice should be sought immediately from appropriate professionals in IT and legal services in terms of efficiently dealing with what happens following a cyber-attack.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team, who advises organisations, including public bodies, charities, the private sector and individuals, on all aspects associated with data and cyber security breaches and general UK GDPR compliance.
If you have any questions concerning the subjects discussed in this article, please do not hesitate to contact Kevin or another team member in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us