British Airways (BA) has revealed it is among the companies affected by a major cybersecurity breach at a payroll management company based in the United Kingdom.  

On June 5, 2023, a firm called Zellis, to which BA subcontracts the management of its payroll, disclosed it had been targeted by a cyberattack exploiting a previously unknown vulnerability in a third-party file transfer system called MOVEit. 

As a result of the attack, it is believed that personal data belonging to all the airline’s staff that are paid in the UK had been compromised, including bank account details, national security numbers, home addresses and dates of birth.  

At least one other large British company, pharmacy chain Boots, was also targeted by the hackers. Zellis, the payroll firm at the center of this case, manages payroll for nearly half of Britain’s FTSE100 listed companies, with combined staff numbering in the millions. 

This is not the first time that BA has been the victim of massive data theft. In 2018, personal data belonging to some 400,000 passengers was stolen from the British airline.  

At the time, the Information Commissioner’s Office ICO), the government entity in charge of supervising personal data protection, imposed a £180 million fine on BA, although upon appeal this amount was later reduced to £20 million. 

Security breaches have not been the only IT-related headache for BA in the last few years. 

The British airline has suffered a number of software glitches, which have cost the airline tens of millions of pounds. On December 20, 2022, issues with check-in and departure control software grounded hundreds of flights for a number of hours. A similar issue in 2017 also created severe disruption across its network.