The attack on the MoveIt tool underscores the risk to companies from third-party suppliers, even if they aren’t customers but work with others who are. Cyberattacks on other little-known, yet ubiquitous, software have had similar ripple effects in the U.S. and Europe. These include the hacks on software providers SolarWinds in 2020, and Kaseya in 2021. A vulnerability in Log4j, also discovered in 2021, has been used by hackers in a similar fashion. This incident is different in that the gang doesn’t appear to have deployed ransomware on systems, analysts said, choosing instead to steal data and attempt to extort its owners.

Companies including the British Broadcasting Corp., British Airways and Irish airline Aer Lingus were among the first reported victims hit this month after payroll service provider Zellis was compromised in the attack. 

A spokesperson for Zellis said that “a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected.” 

Since then, American organizations including Johns Hopkins University and Johns Hopkins Health System, the state of Missouri, the University of Rochester and the state of Illinois have disclosed they were also affected.

An official at the U.S. Cybersecurity and Infrastructure Security Agency, which issued an advisory on the vulnerability last week, said that “several” federal agencies had also fallen victim, but didn’t provide details. 

The BBC found out about the incident through

IBM,

one of the BBC’s suppliers and a customer of Zellis, the broadcaster’s chief financial officer told employees in an email last week. IBM didn’t respond to a request for comment. The BBC’s chief financial officer told employees that personal data including names, dates of birth, national insurance numbers and addresses from some employees was affected. 

BA and Aer Lingus didn’t respond to requests for comment. Johns Hopkins said that it is investigating the incident that affected its networks “as well as thousands of other large organizations around the world.”

Energy giant

Shell

said it is aware of a cybersecurity incident affecting MoveIt, which is “used by a small number of Shell employees and customers. There is no evidence of impact to Shell’s core IT systems,” a spokesperson said.

Ireland’s public health system also said it was affected by the attack through a project on automating recruitment processes with accounting firm EY. Personal data from up to 20 people involved in recruitment processes was exposed, including names, addresses and cellphone numbers, but financial or other sensitive data wasn’t, a spokeswoman for the Health Service Executive said. 

“Any breach is regrettable but unfortunately a feature of international criminal activity in recent years,” HSE Chief Executive Bernard Gloster said through the spokeswoman. Ireland’s healthcare system was paralyzed by a separate ransomware attack in 2021 that cost it tens of millions of euros to repair damaged technology. EY didn’t respond to a request for comment. 

Large file-transfer platforms have become prime targets for criminal gangs, given the ability to potentially reach thousands of victims through the use of a single vulnerability and ready access to sensitive information. In February, software company Fortra disclosed a vulnerability in its GoAnywhere tool, which the same gang responsible for the attack on MoveIt used to steal data from companies and attempt to extort them. Fortra didn’t respond to a request for comment.

Progress Software, the supplier of the MoveIt tool, has issued patches to fix the vulnerability. A company spokesperson said it is working with cybersecurity specialists and law-enforcement agencies to respond, and with customers to ensure they are up-to-date on patches.

John Hammond, a senior security researcher at Huntress Labs, which has identified further vulnerabilities in the MoveIt tool that prompted Progress to release more patches, said security chiefs should be actively monitoring developments.

“It still sounds like there are a couple of embers to this wildfire, and we don’t know if it’ll catch ablaze again,” he said.

Write to Catherine Stupp at catherine.stupp@wsj.com and James Rundle at james.rundle@wsj.com