Cybersecurity experts are bracing for a potential wave of extortion demands after a vulnerability was discovered in encrypted file-sharing software, a flaw that hackers have already used to target a string of high-profile victims, including British Airways and the BBC.

Several companies and a Canadian province said on Monday that they were dealing with breaches related to the secure file transfer product MOVEit from Progress Software Corp, according to statements from several of the affected entities. The vulnerability allowed hackers to steal files that companies had uploaded to MOVEit, according to Progress.

The flaw had prompted security alerts in recent days from the US Department of Homeland Security, the UK National Cyber Security Centre, Microsoft Corp. and Mandiant, a subsidiary of Alphabet Inc’s Google Cloud.

Progress released a patch for the software last week.

"When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps,” spokesperson John Eddy said in a statement.

Microsoft said the hackers responsible for the attacks on MOVEit servers also run the Clop extortion website. Clop is the name of a ransomware variant that has been deployed against companies and organisations around the world, and it also sometimes refers to the hacking gang that uses it. Hackers affiliated with the group also steal data and threaten to publish it on its website if a ransom isn’t paid.

The group has primarily targeted the health care and financial sectors and has existed since February 2019, according to Trend Micro Inc. The same attackers were responsible for previous hacks of two other secure file transfer products developed by Accellion Inc and Fortra LLC, Allan Liska, senior intelligence analyst at Recorded Future Inc.

Publicly available data sources show there are thousands of vulnerable MOVEit servers that could have been affected by the software flaw, Liska said. The criminal hackers are expected to begin contacting companies and demanding payment in cryptocurrency in exchange for not uploading the company’s stolen data online, he said.

An Internet search of publicly visible MOVEit servers preformed by Bloomberg News shows that law firms, health-care organisations and IT firms are among its users.

A representative for the extortion gang said in an email to Bloomberg News that it deleted data stolen from "military, GOV, children’s hospitals, police.” It wasn’t possible to verify the group’s claim.

When asked how many companies were breached, the representative replied, "You all recognise them if they refuse to pay, they will appear on our blog.”

Charles Carmakal, chief technology officer at Mandiant, said the earliest observed exploitation of MOVEit occurred on May 27.

"We’re expecting the extortion communications to start anytime within the next four weeks or so,” he said. "There is a lot of data that the threat actor has to sort through. When the extortion starts, it will probably carry on for a few months.”

British Airways, the pharmacy chain Boots and the BBC told thousands of staff that personal information may have been compromised by a cyberattack on their payroll provider, Zellis.

In a statement, Zellis said a "small number of customers” have been impacted. "Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,” according to a statement. British Airways said in a statement that the incident occurred "because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool.”

The government of Nova Scotia said it is investigating the theft of personal information related to the MOVEit vulnerability. "Government is working to determine exactly what information was stolen and how many people have been impacted,” according to a statement.

At British Airways, the hack led to the disclosure of employees’ personal information, including names, surnames, dates of birth and potentially banking details, according to a spokesperson for the carrier, which employs around 35,000 people.

Boots, with more than 50,000 workers, said employees’ personal details were affected. The server was disabled and staff have been made aware, said a spokesperson for Boots, which is owned by Walgreens Boots Alliance Inc.

The BBC confirmed it had been affected by the attack on Zellis. A spokesperson said it was urgently trying to establish the extent of the data breach.

"This is a typical case of a supply chain attack targeting multiple companies at once that hold extremely sensitive data on employees,” said Jake Moore, a UK-based cybersecurity expert and global adviser to the cybersecurity firm ESET. "The security patch on offer is absolutely vital and should have now been installed by all affected companies to remain protected.” – Bloomberg