More than 450 employees of organisations including the BBC, British Airways and Boots have sued Zellis alleging the payroll and human resources provider failed to take action to prevent a cyberattack suspected to have been carried out by Clop, a Russian cybercrime group.
Clop posted a notice on the dark web in June 2023 claiming responsibility for hacking hundreds of companies and threatening to publish stolen data unless the businesses paid a ransom.
The High Court case is latest to result from the MOVEit attack which claimants assert stole personal data including names, addresses and national insurance numbers. The claimants believe the attack may not have happened if the U.K. software company had complied with its duties on information security.
In North America, the attack has led to Yale New Haven Health, one of Connecticut’s largest medical groups, facing a proposed class action at a state court brought by 840,000 patients whose private records were hacked.
Hackers targeted the file transfer tool MOVEit in May 2023, enabling the group to steal sensitive personal data. “The data security breach would not have occurred but for — alternatively was materially facilitated by — the defendant’s failure to comply with its duties to the claimants,” the claim states.
A total of 465 claimants, who worked for Boots, the BBC, British Airways PLC, DHL Services Ltd., aviation company Leonardo UK Ltd. and Avon Cosmetics Ltd., said Zellis failed to comply with its duties under data protection legislation and did not take reasonable steps to protect their information.
After the attack, Zellis said it had disconnected its MOVEit server and contacted data regulators in the U.K. and Germany, however, the High Court claim says the company did not review its vulnerability or require staff to change passwords regularly and “failed to follow normal industry standards for protection against cyberattacks” and “failed to engage competent, external cybersecurity agencies to check and protect against vulnerabilities and unauthorised access to the personal data.”
In at least once case, the incident resulted in a claimant’s stolen details being used to commit crimes, with others stating they have suffered “injury to feelings, including worry, anxiety and distress, resulting from a reasonably apprehended fear of increased risk of identity theft and cyber-fraud.”
W Denis offers companies expert support and risk management solutions to protect supply chains and business operations. Cyber exposures are evolving and it is important that businesses review their insurances, for suitability, using a specialist broker. To discuss this further with a broker at W Denis, please make arrangements with Daniel Moss at [email protected] or on 0044 (0)113 2439812 or contact Mark Dutton at [email protected] or on 0044 (0) 7831 366 469.
