´óÏó´«Ã½

Zellis ´óÏó´«Ã½ Payroll Data Disclosure 

We have been informed by our supplier IBM that their contractor, Zellis, has been affected by a vulnerability in the third-party software it uses (MOVEit Transfer, provided by Progress Software). This has led to a data breach affecting several organisations, including the ´óÏó´«Ã½.  

Zellis manage the payroll process for the ´óÏó´«Ã½ and therefore hold personal data about ´óÏó´«Ã½ employees and individuals engaged by the ´óÏó´«Ã½ on a PAYE basis and in some instances information about past employees. IBM and Zellis have confirmed that no bank account details or other data were included in the data breach.

The breach has been reported to the Information Commissioners Office and appears to be a significant global technical issue.  

For ´óÏó´«Ã½ Colleagues, .  

What you need to know 

How quickly was it identified as an issue? 

IBM and Zellis notified the ´óÏó´«Ã½ of a potential data breach on Friday (2 June). The ´óÏó´«Ã½ has since then been working to confirm the details of the breach.  

The MOVEit vulnerability was published by the software vendor on 31 May. Zellis was notified and took action to secure their systems. Subsequently they investigated to confirm if any data had been disclosed prior to the vulnerability being published. Zellis discovered that some data had been taken on 28 May and they then took action to notify affected customers.  

What steps have been taken to secure our data and prevent any further data compromise?  

Zellis has isolated their MOVEit server and confirmed that there has been no other cyber security activity on their systems.  

The ´óÏó´«Ã½ Information Security team are monitoring cyber activity and have found no evidence of any illegal activity using the data to date. They will continue to monitor this closely. 

Does this mean anyone who has worked for the ´óÏó´«Ã½ has been subject to data breach?

We know this has affected current staff/freelancers and some former staff/freelancers and we are contacting those people directly to inform them and offer support.

How will I know if my data has been disclosed?  

Investigations have confirmed data disclosed includes personal information for ´óÏó´«Ã½ staff both past and present. Freelance colleagues who have always been gross paid, and therefore have not ever been paid through the Zellis payroll system are not affected. 

The ´óÏó´«Ã½ and Zellis are working to contact everyone who has been affected by the breach.

How do you manage personal data?

We take data security extremely seriously. We hold personal data in line with our own well established data retention policies, based on UK regulation and best practice.  

The ´óÏó´«Ã½ holds data for different periods of time driven by legal and business requirements. This is in line with appropriate legal, regulatory and business best practice. However, we will use this opportunity to further review our policies and ensure compliance.

What other action is the ´óÏó´«Ã½ taking?  

The ´óÏó´«Ã½ is continuing to work closely with IBM and Zellis and other partners including cyber-security professionals to understand the risk. The breach has been reported to the Information Commissioners Office (ICO).  

When will you provide an update?  

We will continue to share updates when any new information is available on this site.  

How much more concerned should we be now that British Airways (who also use Zellis) have confirmed that some of their staff have had their bank and personal details exposed?

Different customers of Zellis have had different data taken during the incident. Zellis has confirmed in writing that no banking details of ´óÏó´«Ã½ employees and freelancers have been taken in this data breach, whereas some other companies have reported that this information formed part of their data loss.

This has been referred to the Information Commissioner Office (ICO), but what can/will they do about it?

The ICO will investigate all reported data breaches. The ICO can take regulatory action or make recommendations for continuous improvement.

What changes are the ´óÏó´«Ã½ making to verify the identity of individuals who contact payroll?

As the disclosed data includes information used to verify the identity of people calling the ´óÏó´«Ã½ Payroll Service Desk via Zellis, effective immediately any callers will be asked to verify using alternative personal information that has not been disclosed.

Is the ´óÏó´«Ã½ Pension Scheme impacted?

Zellis do not operate the ´óÏó´«Ã½ Pension Scheme pensioner payroll or provide any other services to the ´óÏó´«Ã½ Pension Scheme and this data breach does not directly affect the Scheme.

What are the risks to me?

These types of incidents can expose individuals to a higher risk of being victim to scams, identity fraud and unsolicited contact. As such, we recommend best practice be applied and we would encourage you to ensure you have strong passwords on all important online services.

What might illegitimate use of my data look like?

Should someone attempt to impersonate you to attempt access to your accounts or to create a new account you may see indications such as an unexpected text message or email about activity around your account/login or asking you to confirm it is you who is about to attempt an action.

- If you are unsure, do not approve any request and contact the service or organisation, and ask for their fraud department.

- Always use verifiable contact details that are already in your possession or on paperwork you have received.

- Do not use contacts or links in unexpected emails or text messages.

What do I need to do immediately?

- Please be vigilant for any activity that seems unusual and be cautious of any unsolicited and unexpected communications that ask for your personal information or refer you to a web page asking for personal information.

- Please also avoid responding to, and/or clicking on links or downloading attachments from suspicious email addresses.

- The ´óÏó´«Ã½ recommends the use of strong passwords and Two Factor Authentication (2FA) where available, particularly for your important online services.

How long do I need to be on guard following this data breach?

Staying safe online and maintaining a strong awareness of your personal information has always been, and will continue to be, a key factor in staying safe online. It is always recommended that when you are asked for any personal, financial, or commercial detail or insights about others, whether that is an email, a text, social media, or phone call you challenge the validity of the person asking for the information.

Historically, criminal groups will leverage high visibility incidents and events that impact a number of people or attract media coverage to give their scams and campaigns a sense of familiarity and authenticity. Saying “No” to someone asking for information and/or demanding you act straight away is acceptable.

What further support is available?

For further help and advice, or if you think you've been a victim of identity theft, please visit the  (ICO) website.

ENDS

**

 (You'll need to access the site via ´óÏó´«Ã½ Login).

All of our systems are currently working as normal. If any issues arise we'll post updates on this page.