Following yesterday’s massive payroll data breach across the BBC, British Airways and Boots, the BBC’s Chief Financial Officer Alan Dickson has now written to all BBC staff to update them on the information obtained in the breach, along with next steps. Fingers now point to a Russian cyber gang as the culprits…
According to Dickson, so far, the following data has been compromised for affected employees:
• BBC ID Number
• Title
• First Name
• Last Name
• Date of Birth
• National Insurance Number
• Address line 1
• BBC Email Address
• BBC Employment or Engagement Start Date
• BBC Employment or Engagement End Date
Dickson assures that there is no evidence – yet – that the info has been exploited, nor have bank account details been compromised “at this stage“. They’ve also been assured this attack won’t affect June payroll. Huw Edwards’ paycheque is safe…
Read Dickson’s full email below:
“Dear all,
Following my note on Saturday 3 June, here is a further update on the data breach and work underway in response.
On Friday 2 June, we were informed by our supplier IBM that their contractor, Zellis, has been affected by a vulnerability in the third-party software it uses (MOVEit Transfer, provided by Progress Software). This led to a data breach affecting several organisations, including the BBC. The breach has been reported to the Information Commissioners Office and appears to be a significant global technical issue.
Zellis manage the payroll process for the BBC and therefore hold personal data about BBC employees and individuals engaged by the BBC on a PAYE basis.
Information on data disclosed
Our specialist teams have been working closely with our suppliers to understand more about the data that was disclosed and to identify the affected individuals.
We can now confirm the following data was included:
• BBC ID Number
• Title
• First Name
• Last Name
• Date of Birth
• National Insurance Number
• Address line 1
• BBC Email Address
• BBC Employment or Engagement Start Date
• BBC Employment or Engagement End Date
Our Information Security team is monitoring internet activity closely. There is still no evidence that the data is being exploited. Furthermore, Zellis has confirmed they have no evidence that bank account details have been compromised at this stage.
BBC systems have not been impacted and you do not need to change your BBC password (unless you would feel more comfortable to do so).
How we will confirm if you have been affected
If your information is included in the data file, you will receive an email soon to confirm this. We will also provide you with a unique identification number for accessing a credit and web monitoring service [see below].
Support and advice
To help you monitor your personal information, you will be offered 12 months of free identity monitoring services, provided by Experian, one of the UK’s leading credit reference agencies. The service is called Experian Identity Plus and will monitor the web and social networks for stolen information sources and will alert individuals if anything is found. Instructions for how to register for the service will be included in the email and you are advised to read the information in detail.
And, to reassure you, BBC Payroll Services has confirmed that this will not affect any payments due in June.
Action to take
Please be vigilant for any activity that seems unusual and review the guidance and advice that can be found here. Although there is no evidence that password data has been disclosed, these types of incidents can expose individuals to a higher risk of being victim to scams, identity fraud and unsolicited contact.
We would encourage you to:
• Have strong passwords on all important online services, such as banking.
• Be cautious of any unsolicited and unexpected communications that ask for your personal information or refer you to a web page asking for personal information.
• Avoid responding to, clicking on links, or downloading attachments from suspicious email addresses.Next steps
We appreciate that this is a concerning situation – you can find the most up to date information in our FAQs here.
Should you wish to speak to someone, you can contact the BBC Payroll Service Desk on xxx (internally) or xxxx xxx xxxx (externally), selecting option 2, followed by option 3 and then option 1 for Payroll. Or you can contact our Employee Assistance Programme. Please note these teams do not have any further information than what is included in the FAQs and will not be able to confirm if you have been affected by the data breach, this will only be confirmed via email on Tuesday.
Best wishes,Alan Dickson
Chief Financial Officer”
