Security breaches at well-known British institutions, Russian-speaking cybercrime groups delivering ransom notes, ultimatums on the dark web and more than 100,000 individuals at risk of having their bank details leaked. This all sounds like the outline of a very modern spy thriller rather than a Monday morning HR agenda – but it's the latter that is true.
That’s because earlier this week, Boots, British Airways (BA) and the BBC, among others, confirmed that employees’ personal data had been stolen by cybercrime group Clop, thought to be based in Russia, which targeted software called MOVEit, used by Zellis, a widely used payroll provider.
As a result of the breach, The Telegraph reported that BA emailed staff to say that names, addresses, national insurance numbers and banking details could be compromised, while Boots told employees the data attack could have resulted in names, addresses, dates of birth and national insurance numbers being exposed.
A Zellis spokesperson confirmed the breach to People Management. “A small number of our customers have been impacted by this global issue and we are actively working to support them,” they said.
The vulnerability was previously unknown, but they have disconnected from the impacted server, reached out for expert advice and notified the Information Commissioner’s Office (ICO), the Data Protection Commission and the National Cyber Security Centre, the spokesperson added.
The people and business cost of cybercrime
When an organisation makes headlines after customer or staff data is lost, there is an obvious hit to the business and the brand. Especially if it has happened before, as it has for BA.
A recent report titled Cyber insurance claims: Minimize risk, maximize recovery by law firm Reed Smith found that, globally, businesses lose out on £48bn each year as a result of cybercrime.
BA carrier has previously been fined a record £20m by the ICO after a 2018 data breach saw customer personal and credit card data affected. This is because article 32 of the GDPR requires companies to take appropriate technical and organisational security measures to prevent cyberattacks; if they fail to put such measures in place they can be fined up to 2 per cent of annual worldwide turnover or £8.7m, whichever is higher. A financial risk to all companies that are not regularly reviewing their data protection and cybersecurity processes.
Matthew Clark, cyber director at Partner&, explains that the damage does not stop at the operational, reputational and a potential fine from the ICO. “Employers are often required to also bear the cost of monitoring services to minimise fraud for those impacted by the breach,” he says.
Rightly so, intimates Bruce McDougall, director at Black Arrow Cyber Consulting. “Being the victim of a cyber attack is a horrible experience that can be catastrophic for the individuals and organisations that are affected, and it is important to be conscious that the incidents are not just about data, but about people’s lives and livelihoods,” he says.
As such, Philip Richardson, head of employment law at Stephensons, explains that firms need to focus on compensation claims from impacted employees, being cognisant of their wellbeing and need for information if data is exposed. “Impacted firms will need to provide clear and timely advice to colleagues about what has happened, and explain what data has been compromised and the measures they are now taking to remedy it,” he adds.
Could more companies be impacted?
While speculating on who else might be affected by this latest round of cyber attacks would not be right, cyber experts believe businesses that are not updating their technology or cybersecurity processes, that are not doing due diligence when it comes to outsourcing, and that do not have supply chain checks and balances in place are opening themselves up to potential data breaches.
Simon Bain, CEO of OmniIndex, believes the data breaches that impacted the BBC and BA among others are the result of “outdated data stores and workflows” and a precedent being set by previous ransoms for breached data being paid.
He also feels companies should be wary of outsourcing, adding: “Organisations need to upgrade their systems; with the Web3 infrastructure available today, these ransomware attacks are simply impossible because with blockchain data store data is encrypted at all times.”
With a 2021 study by CoAdvantage finding that more than half (53 per cent) of HR functions are outsourcing payroll, Carl Atkinson, employment partner at gunnercooke, believes companies that are not asking third-party suppliers about their security protocols should be concerned. He says: “A review of legal agreements with suppliers is recommended to ensure that industry standard information security systems are applied throughout the supply chain.”
For McDougall, this means businesses need to ask their outsourced partners about the controls they put in place, and what happens if an incident occurs, and then have these answers reviewed by an independent cybersecurity expert. He also recommends an audit of suppliers and looking for certification, such as ISO 27001. “It is important that this process is not a tick-box exercise but instead it should be a genuine opportunity to understand whether the information is secure in another party’s hands,” he adds.
HR’s role in cybersecurity
While HR is a function that regularly outsources and is often used to at least oversee processes that use employee’s personal data, some may think cybersecurity is the remit of IT or digital functions. Not so, argues Clark. With 2022 government figures showing that 39 per cent of businesses reported a cyber attack, and very few SME businesses having a cybersecurity policy in place, it has got to be an HR concern. “This latest attack highlights that cybersecurity should be a central component of the human resources remit – both to prevent attacks and protect employees,” Clark says.
McDougall says this means checking in with all processes and suppliers, but also understanding the difference between data protection and cybersecurity – a clarity that can then inform policy and controls, especially as “HR, in particular, holds some of the most precious information in the organisation”.
Noting that this protection needs to include documentation, training of HR staff, the understanding of how popular payroll fraud is and the importance of controls, he explains: “Organisations need to have a cybersecurity strategy that includes layer upon layer of security controls across people, operations and technology; people are a source of risk but can also be a source of protection for the organisation if the strategy is designed correctly.”
And because payroll can often be targeted for cyber attacks, Vickie Graham, director at the Chartered Institute of Payroll Professionals, adds that while all attacks would be impossible to prevent, HR can take clear steps to mitigate the risk. These include: looking for providers that take the accreditation and secure process seriously; training all employees regularly on cybersecurity and the safe transfer of data; and creating business continuity and disaster recovery plans in case of a breach. “[In this way] organisations can take steps to protect themselves and ensure they have clear plans to follow and help deal with the implications of any cyber attacks,” she says.