The personal details of Boots staff have been targeted in a Russia-linked cyberattack impacting potentially thousands of companies around the world.

In the UK, the BBC, British Airways and Aer Lingus have also been affected, with the firms warning staff that their bank account details, national security numbers, home addresses and dates of birth may have been compromised.

The UK companies impacted by the hack are all users of Bristol-based payroll company Zelis.

Zelis said the attack exploited a vulnerability in Progress Software’s MoveIt Transfer product, a third-party software designed to move sensitive files securely.

“Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware,” a Boots spokeswoman told The Grocer.

The vulnerability “included some of our team members’ personal details” they added.

It is understood eight Zelis customers in the UK have been affected. On the firm’s website it also lists Wilko, Iceland and Harrods as clients. Iceland told The Grocer it was not affected.

Progress Software said the vulnerability allowed for an “unauthenticated attacker to gain access” and “alter or delete” data.

Microsoft security experts are attributing the attack to Lace Tempest, a group known for ransomware operations and running the Cl0p extortion website where victim data is published.

“The threat actor has used similar vulnerabilities in the past to steal data and extort victims,” Microsoft said in a blog post.

The group has become notorious for targeting popular file transfer services used by major corporations and governments in recent years. Earlier this year it hit file sharing service Fortra GoAnywhere, which it used to steal data from 130 companies, it claimed. In March, P&G confirmed it was among them, with “some information about P&G employees” taken.

The Russia-linked group was also behind a major attack of Accellion’s file sharing tool in 2021, which impacted US grocery giant Kroger among many others.

A spokeswoman from Zelis said the company took “immediate action, disconnecting the server that utilises MoveIt software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring” as soon as it became aware of the incident.

“We employ robust security processes across all of our services and they all continue to run as normal,” she added.

A spokesman for the UK’s National Cyber Security Centre said it was “working to fully understand the UK impact” of the hack.

“The NCSC strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates,” they added.

Progress Software’s website says it is used by “thousands of organisations around the world”.

“What we’re seeing here may be just the start of yet another hugely significant incident in cyber industry, and what should be a watershed moment for software security,” said Rick Jones, co-founder of cyber security firm DigitalXRAID.