Russian Hacker

A Russian cybercrime gang who stole personal data belonging to tens of thousands of BBC and British Airways staff has told the companies they have one week to pay a ransom.

In a warning posted to the Dark Web, the Clop group, whose members are known to speak Russian, told the affected companies to email them by June 14.

Clop said it was responsible for a cyber security attack against a British payroll outsourcing company, Zellis, which led to personal data being stolen from Boots, the BBC, British Airways and Aer Lingus. Also targeted were the Nova Scotia Government and the University of Rochester.

The gangsters ordered companies caught up in the hack to contact the criminals else they would leak sensitive payroll data to the Dark Web. It marks an unusual tactic from the hackers, as ransomers would usually contact their victims directly to demand money.

The warning note, posted to the Clop gang’s dark web site and seen by The Telegraph, said: “This is announcement to educate companies who use Progress MOVEit product.

“If we do not hear from you until June 14 2023 we will post your name on this page… cal today before your company name is publish here.”

No figure was given for the ransom demand. Typically the gang tailors its demands to the size of the affected company, demanding larger payouts from bigger organisations.

Earlier this week Zellis said eight of its corporate customers were impacted by the “global issue”, which may have exposed personal information, including names, home addresses, and banking details.

A British Airways spokesman said: “We have notified those colleagues whose personal information has been compromised to provide support and advice.”

The company warned all of its 34,000-strong workforce that their personal information may have been stolen in the hack.

British Airways and Zellis have both reported the incident to the Information Commissioner’s Office (ICO), the payroll company said.

A Boots spokesman said: “A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members’ personal details.

“Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware.”

Unlike many recent high profile cyber attacks, the latest incident does not involve ransomware, which is where malicious software is used to scramble computer files.

Experts from cyber security company Secureworks confirmed that the Clop attack is a “hack and leak” operation, involving data theft and extortion.

The hack and ransom demand comes after Royal Mail was attacked by a similar Russian-speaking ransomware gang earlier this year. The company received a £65m ransom demand which it refused to pay.

Lisa Forte, a partner at Red Goat Cyber Security and a former police cyber crime specialist, said: “This attack may have been caused by another organisation but the impacts of it sit firmly with Boots, BBC and others.

“Crisis management teams and executives will be taking advice on the ransom demand and, whether they decide to pay or not, will definitely have to be considering the impact of both courses of action very carefully.

“Not paying will almost certainly lead to the release of the data ... so strategy is key here whichever way they decide to proceed.”

