Incident Overview
In late May 2023, cybercriminals exploited a zero-day SQL-injection vulnerability (CVE-2023-34362) in the MOVEit file-transfer software—a widely used tool by businesses to securely transmit files. The attackers deployed a custom web shell (“LEMURLOOT”) to extract data stored in Microsoft Azure Blob containers.
The Clop ransomware group, also known as Lace Tempest, claimed responsibility. They issued a public warning to victims via their dark-web blog, demanding ransom or threatening data exposure.
Affected Organisations and Data Exposed
The breach impacted over 2,700 organisations worldwide, affecting approximately 93 million individuals, with numbers still rising.
In the UK, a key victim was Zellis, a payroll provider servicing many high-profile organisations. At least eight of its clients were compromised: the BBC, British Airways (BA), Boots, and Aer Lingus, among others.
British Airways confirmed that employee names, addresses, National Insurance numbers, and bank account details were affected.
Boots reported exposure of employee names, employee numbers, dates of birth, email addresses, NI numbers, and partial home addresses.
The BBC confirmed the breach included names, dates of birth, NI numbers, and first-line home addresses—but bank details were not compromised.
Aer Lingus stated employee data was affected, but no financial or contact details were exposed.
Technical Attribution & Response
Progress Software, the developer of MOVEit, released a patch within 48 hours of discovering the flaw. Cybersecurity agencies including CISA, Microsoft, CrowdStrike, and Mandiant were involved in incident response efforts.
Organisations were urged to conduct scans for indicators of compromise and begin forensic investigations. Affected companies were further advised to contact regulatory agencies and inform affected individuals.
Broader Impact and Commentary
The attack exemplifies the risks of supply-chain vulnerabilities, where a single exploited platform like MOVEit can cascade into widespread organisational compromise.
Cybersecurity experts emphasised the urgent need for vendor risk management, network segmentation, and zero-trust architecture to mitigate such upstream threats.
Summary Table
| Category | Details |
|---|---|
| Attack Timeline | May 2023 (zero-day exploited, patch released 31 May) |
| Primary Vulnerability | MOVEit Transfer SQL-injection (CVE-2023-34362) |
| Responsible Group | Clop (Lace Tempest) ransomware gang |
| Affected Organisations | BBC, British Airways, Boots, Aer Lingus, Zellis and more |
| Data Exposed | Employee names, NI numbers, dates of birth, addresses, bank details |
| Remediation Efforts | Patch rollout, incident response by Progress Software and agencies |
| Key Risk Highlighted | Weaknesses in third-party software/vendor security |
Key Insights
This breach underscores how vulnerabilities in widely used third-party tools can have profound downstream effects, affecting numerous organisations and millions of individuals.
Organisations must adopt rigorous third-party audit and security protocols.
Affected individuals should remain alert to identity theft, phishing, and suspicious communications.
