A statement from Zellis (Updated September 14, 2023)
On May 31, 2023 Progress Software revealed a previously unknown (‘zero-day’) vulnerability in its MOVEit transfer software, in wide use among public and private sector organisations around the world. At that time, Zellis deployed MOVEit Transfer software to support bespoke processes with a small number of customers.
As soon as we became aware of this vulnerability we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team from our Managed Security Service Provider (MSSP) to assist with forensic analysis and monitoring.
Within hours, we determined that 8 customers suffered a data exfiltration, the malware having taken advantage of the vulnerability in MOVEit Transfer, and not through any of Zellis’ own software. We used another external specialist cyber forensics company to independently validate these findings, and further confirmed there was no ‘lateral movement’ by the malicious actor to any other areas of the business.
This confirmed, we immediately began communications to impacted customers with a clear and transparent explanation of the incident. In the days that followed, we further supported our customers in their outreach to impacted data subjects: offering information, helpdesk support and a term of free identity protection cover from Experian.
Finally, we made an early, voluntary submission to the ICO in the UK and DPC in Ireland, and provided timely follow ups to our submission. We are continuing to provide support to ongoing criminal investigations into the incident.
This process of rapid notification made Zellis one of the first companies to be publicly associated with the MOVEit vulnerability story. It is important to reiterate that all Zellis-developed software was completely unaffected by this incident and there was no interruption to our service to customers. We are grateful to the customers and stakeholders who have told us they appreciated the speed and transparency of our approach.
Neither Moorepay or Benefex were using the MOVEit tool, so these businesses were unimpacted by this incident.