Media Coverage

Kingsley Hayes discusses the Zellis data breach in Infosecurity Magazine

Partner and Head of Data and Privacy Litigation, Kingsley Hayes, has commented on the hack on payroll service provider Zellis via third-party file transfer software MOVEit in Infosecurity Magazine.

Kingsley’s comments were published in Infosecurity Magazine and The Stack, 6 June 2023, here and here, and Employer News and UK Tech News, 7 June 2023, here and here.

The data breach was claimed by Russian cybercriminal group Cl0p and affected at least eight of Zellis’s customers including the BBC, British Airways, and Boots.

Kingsley commented:  

“When data hacks involving third parties occur – such as in this latest data breach – there are always questions about who is to blame. It is a tricky question to answer, especially in this case where there are multiple points of failure.

“Nevertheless, while it was MOVEit that was hacked, employers remain responsible for the security of their employee data. Following the breach, the ICO will likely want to know more about the affected organisations’ security measures, and their relationships with Zellis in regard to data protection.

“While ransomware attacks are becoming ever more frequent, it is unusual for cybercriminals to demand that victims get in touch with them to begin negotiations. With many points of failure in this breach, it’s unclear whether Cl0p wants Zellis, MOVEit, or its affected clients to contact them.

“We would never advise any victim of a data breach to enter into discussions with cybercriminals. Not least because by the time data is in the hands of bad faith actors, it’s simply too late to keep it safe. We would advise all affected organisations take immediate steps to tighten up their data security practices, and to make sure their employees are kept fully informed about what is happening.

“Such measures are vital, because if your organisation handed personal data to a third party, then this data – and the safety of those it belongs to – remains your responsibility. This is the case regardless of who was breached. To the victims we would advise staying alert to calls and messages that maybe seeking to extort money or further information; your data is highly valuable in the wrong hands.”

Maltin PR

Recent Posts

KP Law Highly Commended at the Modern Law Awards 2024

We are very pleased to share that KP Law has been Highly Commended at the… Read More

9 months ago

Keller Postman UK merges with Lanier, Longstaff, Hedar & Roberts to form specialist collective redress law firm KP Law Limited

Today Keller Postman UK Limited and Lanier, Longstaff, Hedar & Roberts LLP announce their merger… Read More

9 months ago

What is group litigation?

Group litigation, also known as class action or group legal action, is a process where… Read More

9 months ago

What’s been happening in January 2024?

What’s been happening in January 2024? In our regular monthly update, we share the latest… Read More

9 months ago

What is talcum powder cancer?

What is talcum powder cancer? Here, we explain what talcum powder cancer refers to and… Read More

10 months ago

Lucy Burrows comments on 23andMe’s response to its data breach in ITPro

Associate Lucy Burrows provides insight on the 23andMe data breach and highlights the danger of… Read More

11 months ago