By Joe Tidy
Cyber correspondent
Cyber- criminals have told the BBC they do not have data belonging to large UK organisations thought to be victims of a mass hack.
Firms including the BBC, British Airways and Boots have told staff that sensitive payroll data was stolen in last month’s breach.
But now the hackers Clop, speaking over email, claim “we don’t have that data”.
It raises the possibility that another unknown hacking gang has the stolen data or that Clop is lying.
Zellis, the UK payroll provider that hackers breached to gain access to the BBC, Boots and BA’s data, said it could not comment as a police investigation was ongoing.
Since 14 June, Clop has been posting company profiles of victims of its hack to pressure them into paying a ransom.
But none of the UK’s largest and most well-known victims’ names has been posted so far.
In small batches Clop has added the names, websites and company addresses of nearly 50 victims to its darknet website.
The organisations include banks, universities, travel firms and software companies from more than a dozen different countries including the US, Germany, Switzerland, the UK, Canada and Belgium.
Some of the companies listed by Clop on their so-called “leak site” have separately confirmed that they have had data stolen.
Clop is threatening to publish the stolen data unless victims pay a ransom which is likely to be hundreds of thousands of dollars or more in Bitcoin.
‘We don’t have that data’
It is thought hundreds of organisations who used the file transfer tool MOVEit have had their data stolen.
That included eight big UK organisations – among them the BBC, BA and Boots – who were customers of Zellis which was itself breached through MOVEit.
But in an email exchange with the BBC the cyber-criminals repeatedly claimed not to have stolen the Zellis data.
“We don’t have that data and we told Zellis about it. We just don’t have it. We are an old group and have never deceived anyone, if we say that we do not have information, then we do not have it,” the hackers claimed.
Zellis would only refer us to its previous statement, which said: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.”
The company says that as soon as it became aware of the hack it took immediate action and disconnected the computer server on which the MOVEit software was installed.
The firm says it has brought in an expert external security team to help it respond to the attack and has notified the relevant UK data authorities.
Multiple possibilities
Cyber-security experts are puzzled by Clop’s claims which further muddy an already complex situation.
Threat researcher Brett Callow, from Emsisoft, said Clop could be covering up the fact it stole the data as part of a sale deal with another hacking group.
But Clop claimed “we didn’t sell anything to other hackers”.
Other experts say there are many possibilities.
“Clop has no real reason to say they don’t have the data,” said SOS Intelligence boss Amir Hadžipasić .
“If they are telling the truth then it makes me think that some other hackers may have got in and stolen the data before Clop and if Clop don’t have the data then this situation is less predictable. The files are going to end up somewhere on the darkweb via another hacking group,” he added.
The hack was first announced on 31 May by Progress Software, the makers of MOVEit.
The criminals found a way to break into MOVEit and were then able to use that access to get into the databases of potentially hundreds of other companies.
Since the initial MOVEit disclosure, however, researchers have found many security issues within the software which means it is possible that the data was stolen in a different way by a different group.
On Friday, the US announced a $10m reward for “information linking the Clop gang or any other malicious cyber -ctors targeting US critical infrastructure to a foreign government”.