Safeguarding payroll data from cyber attacks

26 July 2023

MOVEit cyber attack

The recent cyberattack on MOVEit has affected organisations globally, ranging from government defence organisations to payroll and pension funds. The attack was carried out by a group known as ‘Cl0p’, a state funded group motivated by disruption rather than financial gain. The success of their attack lies in what they targeted. MOVEit is a Software as a Service (SaaS) or on premises solution, providing a method of ‘securely’ moving and encrypting files. Within the software sold was a bug that allowed attackers to inject a series of commands that would retrieve files stored on the MOVEit software solution. This bug was identified and exploited by Cl0p,  disrupting many organisations using this software and effecting millions of people.

MOVEit has taken immediate action to address the identified vulnerabilities and prioritise the protection of its customers. The company has released patches to address these vulnerabilities, which are now available to MOVEit customers. It’s strongly advised that MOVEit customers thoroughly review the provided patches and promptly apply them.

Managed file transfer

This type of attack is increasing in popularity as working remotely and SaaS have increased in popularity. Required integration and movement of files between organisations have increased the attack surface for attackers. Traditionally they’d  look to encrypt an organisation’s data and extort money by offering them a key to unencrypt it. Attackers are now stepping away from the encryption part and just stealing sensitive data and threatening to post it online if a ransom is not paid.

Risks of exchanging data

Transferring sensitive data, such as payroll data, to third parties means that the original organisation no longer has full control of the data but may still be liable for how it’s managed. This raises questions over legal and ethical responsibilities when transferring data to third parties.

When organisations share personally identifiable information (PII) with a third party for business requirements, the responsibility of keeping that data secure lies with the originally entrusted and now the additional third party. According to General Data Protection Regulation (GDPR):

  • the organisation is considered the ‘data controller; and remains legally responsible for the security of PII;
  • the data controller should establish a clear agreement with their third party, in this case the data processer, in handling the PII; and
  • article 28 of the GDPR prescribes the provisions which must be included in a data processing contract between a controller and a processor.

It’s essential that business’ have an awareness of the security practices of any potential third party service providers and agree contractually in writing to the measures it will take to secure its systems.

In the event of a data breach, the level of liability depends on the specifics of the contract signed with the third party. If you don’t have a contract, then you have not fulfilled your responsibilities under the GDPR and can be liable to financial penalties regardless of how the breach occurred or whether the third party were wholly responsible for not securing their environment effectively.

Ensuring data security

According to the GDPR, due diligence must be conducted by the data controller before handing over any personal data to the data processor. You must be sure the third party manages their data in a secure way and be able to prove you have done your diligence checks. When reviewing third parties’ areas for consideration include (but are not be limited to):

  • cyber security audits, when was the last one conducted? Do not assume third parties take their cyber security compliance seriously, ask them to provide proof;
  • a third-party cyber security audit instructed by the data controller for the data processor could be required;
  • does the third party have any certifications; Cyber Essentials Plus certification or ISO27001;
  • when was their last network penetration test, vulnerability assessment or red teaming assessment?
  • regularly review your relationship with third party service providers and check they are maintaining your required standards and audit requirements; and
  • conduct Data Protection Impact Assessments (DPIAs) to confirm with the data processor that they’ll only use the data as intended by the data controller.

If a breach occurs

The MOVEit attack demonstrates that even if your software is fully up to date, unknown or undisclosed vulnerabilities can still lead to a breach. In these instances, it’s about limiting the damage of the breach. Data controllers and data processors are duty bound to inform the effected parties in a timely fashion. This should be reflected within the contractual agreement signed between the data controller and the data processor.

According to the Information Commissioners Office (ICO);

‘By law, you have got to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours after having become aware of it. You might end up not needing to report it, but start a log anyway, to record what happened, who is involved and what you are doing about it.’

An incident response plan should be part of your organisation’s policies. It should be regularly evaluated and reviewed. Preventing a breach is just as important as planning and being prepared for a breach.


Malware and ransomware attacks, such as the recent MOVEit attack, have unfortunately become increasingly common in today's technological landscape. This incident demonstrates the importance for organisations to prioritise data security and risk management, particularly when sharing sensitive information with third parties. By implementing the recommended steps and adopting a proactive approach to data security, organisations can effectively mitigate the potential damage of cyberattacks and maintain the trust of their stakeholders.

For more information on how you can protect your business against the rising threat of a cyber-attack, contact Sheila Pancholi.