Partner and Head of Data and Privacy Litigation, Kingsley Hayes, has commented on the hack on payroll service provider Zellis via third-party file transfer software MOVEit in Infosecurity Magazine.
Kingsley’s comments were published in Infosecurity Magazine and The Stack, 6 June 2023, here and here, and Employer News and UK Tech News, 7 June 2023, here and here.
The data breach was claimed by Russian cybercriminal group Cl0p and affected at least eight of Zellis’s customers including the BBC, British Airways, and Boots.
Kingsley commented:
“When data hacks involving third parties occur – such as in this latest data breach – there are always questions about who is to blame. It is a tricky question to answer, especially in this case where there are multiple points of failure.
“Nevertheless, while it was MOVEit that was hacked, employers remain responsible for the security of their employee data. Following the breach, the ICO will likely want to know more about the affected organisations’ security measures, and their relationships with Zellis in regard to data protection.
“While ransomware attacks are becoming ever more frequent, it is unusual for cybercriminals to demand that victims get in touch with them to begin negotiations. With many points of failure in this breach, it’s unclear whether Cl0p wants Zellis, MOVEit, or its affected clients to contact them.
“We would never advise any victim of a data breach to enter into discussions with cybercriminals. Not least because by the time data is in the hands of bad faith actors, it’s simply too late to keep it safe. We would advise all affected organisations take immediate steps to tighten up their data security practices, and to make sure their employees are kept fully informed about what is happening.
“Such measures are vital, because if your organisation handed personal data to a third party, then this data – and the safety of those it belongs to – remains your responsibility. This is the case regardless of who was breached. To the victims we would advise staying alert to calls and messages that maybe seeking to extort money or further information; your data is highly valuable in the wrong hands.”
We are very pleased to share that KP Law has been Highly Commended at the… Read More
Today Keller Postman UK Limited and Lanier, Longstaff, Hedar & Roberts LLP announce their merger… Read More
Group litigation, also known as class action or group legal action, is a process where… Read More
What’s been happening in January 2024? In our regular monthly update, we share the latest… Read More
What is talcum powder cancer? Here, we explain what talcum powder cancer refers to and… Read More
Associate Lucy Burrows provides insight on the 23andMe data breach and highlights the danger of… Read More