BBC employee data exposed in Zellis hack


BBC is among the organizations affected by the hack of Zellis, a popular third-party payroll service provider.

ADVERTISEMENT

“Zellis manages the payroll process for the BBC and therefore holds personal data about BBC employees and individuals engaged by the BBC on a PAYE basis and in some instances information about past employees,” BBC informed its employees.

There’s no evidence that bank account details have been disclosed.

Zellis was hacked by exploiting the MOVEit Transfer 0-day vulnerability. Microsoft attributed the flaw exploitation campaign to the Cl0p ransomware gang.

The zero day bug affects MOVEit Transfer’s servers, allowing attackers to access and download data.

Earlier, British Airways (BA) said an attack on its payroll provider Zellis impacted the company’s employees.

BBC is working with IBM and Zellis to evaluate the risk posed to its employees.

“Investigations have confirmed data disclosed includes personal information for BBC staff both past and present. Freelance colleagues who have always been gross paid, and therefore have not ever been paid through the Zellis payroll system are not affected,” it said.

The breach has been reported to the Information Commissioners Office (ICO).

ADVERTISEMENT