Partner and Head of Data and Privacy Litigation, Kingsley Hayes, has commented on the hack on payroll service provider Zellis via third-party file transfer software MOVEit in Infosecurity Magazine.
The data breach was claimed by Russian cybercriminal group Cl0p and affected at least eight of Zellis’s customers including the BBC, British Airways, and Boots.
“When data hacks involving third parties occur – such as in this latest data breach – there are always questions about who is to blame. It is a tricky question to answer, especially in this case where there are multiple points of failure.
“Nevertheless, while it was MOVEit that was hacked, employers remain responsible for the security of their employee data. Following the breach, the ICO will likely want to know more about the affected organisations’ security measures, and their relationships with Zellis in regard to data protection.
“While ransomware attacks are becoming ever more frequent, it is unusual for cybercriminals to demand that victims get in touch with them to begin negotiations. With many points of failure in this breach, it’s unclear whether Cl0p wants Zellis, MOVEit, or its affected clients to contact them.
“We would never advise any victim of a data breach to enter into discussions with cybercriminals. Not least because by the time data is in the hands of bad faith actors, it’s simply too late to keep it safe. We would advise all affected organisations take immediate steps to tighten up their data security practices, and to make sure their employees are kept fully informed about what is happening.
“Such measures are vital, because if your organisation handed personal data to a third party, then this data – and the safety of those it belongs to – remains your responsibility. This is the case regardless of who was breached. To the victims we would advise staying alert to calls and messages that maybe seeking to extort money or further information; your data is highly valuable in the wrong hands.”