Ofcom and Ernst & Young affected by MOVEit data hack


Media watchdog Ofcom and accountancy firm Ernest Young are the latest UK organisations to be affected by the MOVEit data hack. British Airways, the BBC, Boots and Aer Lingus employees are also affected by the software breach. 

According to reports, 412 Ofcom employees have had their data stolen in the data security incident – which was carried out by Russian cybercriminals. In a statement, an Ofcom spokesperson said:  

“A limited amount of information about certain companies we regulate – some of it confidential – along with personal data of 412 Ofcom employees, was downloaded during the attack”.   

“We took immediate action to prevent further use of the MOVEit service and to implement the recommended security measures. We also swiftly alerted all affected Ofcom-regulated companies, and we continue to offer support and assistance to our colleagues.” 

No payroll data was affected, so this breach may not be linked to payroll provider Zellis. Zellis is one organisation affected by the MOVEit breach. Zellis provides payroll support services to hundreds of companies in the UK. Eight of its clients are said to be impacted. 

According to the BBC, Ernst & Young is also a victim of the MOVEit data breach. The accountancy firm said that the vast majority of its systems were unaffected but that it was investigating where data may have been accessed.  

Ernst & Young and Ofcom will notify those affected.  

What happens next in the MOVEit data hack?

Clop – the Russian cybercriminal group behind the attack has threatened to start publishing stolen data from affected companies that do not email them to begin the negotiations by Wednesday. According to the BBC, the “group is well-known for carrying out its threats and it is likely that organisations will have private data published on the gang’s darknet website in the coming weeks”.

Commenting on the attack, Kingsley Hayes, Head of Data & Privacy Legislation at Keller Postman UK said:

“While ransomware attacks are becoming ever more frequent, it is unusual for cybercriminals to demand that victims get in touch with them to begin negotiations. 

“We would never advise any victim of a data breach to enter into discussions with cybercriminals. Not least because, by the time data is in the hands of bad faith actors, it’s simply too late to keep it safe. We would advise all affected organisations take immediate steps to tighten up their data security practices, and to make sure their employees are kept fully informed about what is happening. 

“Such measures are vital, because if your organisation handed personal data to a third party, then this data – and the safety of those it belongs to – remains your responsibility. This is the case regardless of who was breached. To the victims we would advise staying alert to calls and messages that maybe seeking to extort money or further information; your data is highly valuable in the wrong hands.

Make a data breach compensation claim

While it was MOVEit that was hacked, organisations remain responsible for the security of their personal data. Following the breach, the ICO will likely want to know more about the affected organisations’ security measures, and their relationship with third-party software providers in regards to data protection.   

At Keller Postman UK, our cyber experts are investigating the breach to find out what happened, which organisations are involved, and who is affected. 

If you receive notification that you are affected by this data breach, register below to make a no-win, no-fee compensation claim. 


Share this article: