In May 2023, a ransomware gang called Clop began abusing a zero-day exploit of Progress Software’s MOVEit Transfer enterprise file transfer tool. Progress quickly issued a patch, but the damage was already extensive. Clop’s widespread attack saw it steal data from government, public, and business organizations worldwide, including New York City’s public school system, a UK-based HR solutions and payroll company with clients like British Airways and BBC, and others.
How many others? According to a running tally from Emsisoft, over 2,000 organizations have reported being attacked, with data thefts affecting more than 62 million people. The vast majority of attacks were on US-based entities. Most recently, BORN Ontario, which first reported being attacked in June, revealed that data from newborns and pregnant patients in Ontario, spanning from January 2010 to May 2023, was stolen, affecting on the order of about 3.4 million people.
Progress issued two more patches on June 9th and June 15th, both of which addressed further vulnerabilities that were “distinct” from the original exploit. In both cases, the company’s page announcing those patches says that, while its investigations are ongoing, it doesn’t see any evidence they were used for further attacks.
There has been... so very much legal action after the attacks. Class action lawsuits have been filed against IBM, which ran servers that were breached for multiple organizations, Prudential Financial, Progress Software itself, and others. The MOVEit breach and other high-profile hacks have led to the SEC requiring public companies to issue disclosures within four days of discovering a cybersecurity incident, except when the disclosure could be a national security or public safety risk.
Nov 10Maine says MOVEit hackers accessed the information of 1.3 million people.
The state government disclosed the breach in a notice posted to its website, stating that social security numbers, birthdates, and driver’s license numbers “may have been involved” in the incident:
On May 31, 2023, the State of Maine became aware of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data. The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine between May 28, 2023, and May 29, 2023.
It adds that anyone who wants to know whether their data was affected by the breach can contact Maine’s dedicated call center.Maine govt notifies 1.3 million people of MOVEit data breach
Oct 30MOVEit hackers accessed around 632,000 government emails last year.
Last year, the Office of Personnel Management reported a “major hack” that allowed bad actors to view emails from the Department of Defense and the Department of Justice, according to a report from Bloomberg.
Despite the breadth of the attack, the Office of Personnel Management reportedly said the emails hackers accessed were “generally of low sensitivity” and not classified.
Sony is sending out notices to some current and former Sony Interactive Entertainment (SIE) employees warning that their personal information was compromised in a system breach that occurred in May. The letters went out to about 6,800 affected individuals, as reported by Bleeping Computer. The publication also received confirmation from Sony that another breach occurred in September.Read Article >
A ransomware group known as Cl0p claimed responsibility for breaking into a Sony server in June. The breach occurred via a vulnerability in the file-sending MOVEit Transfer platform that SIE was using. Sony is one of many organizations that have been affected by MOVEit cyberattacks.
Oct 2Progress Software fixes more bugs attackers are exploiting in its “secure” file-transfer software.
While attacks like the massive MOVEit breach have spurred regulators to implement new rules around disclosure, Progress Software released a patch for another one of its products last week (via TechCrunch).
The September 2023 update addresses “multiple vulnerabilities” in its WS_FTP file-transfer software for enterprise users who need to move data around securely, and as TechCrunch points out, security company Rapid7 reports it’s “observed multiple instances of WS_FTP exploitation in the wild.”Progress Customer Community
- The biggest known MOVEit hack leaked the personal information of up to 11 million people.
Maximus, a company that administers government programs like Medicaid and Medicare, was swept up in the broad MOVEit hacking campaign in May that affected over 2,000 organizations.
Victims filed a proposed class action lawsuit against the company after the attack, which as TechCrunch noted saw the leak of social security and other sensitive health information for between 8 and 11 million people.
- Over 50,000 students’ data was stolen in a recent MOVEit breach.
National Student Clearinghouse (NSC), a Virginia-based educational nonprofit, said in a sample data breach notice filed with the California Attorney General that it suffered a MOVEit-related cyber attack on May 30th, reported Bleeping Computer.
The NSC says in the letter that stolen data may include SSNs and other personal and school-related records. Bleeping Computer writes that 890 schools’ were affected. The organization acknowledges the breach and subsequent patch on its website.National Student Clearinghouse data breach impacts 890 schools
Public companies will now have to disclose cybersecurity incidents sooner, thanks to a rule adopted by the Securities and Exchange Commission. Under the new policy, the SEC will require public companies to report data breaches and hacks four business days after they are discovered.Read Article >
Companies will have to disclose any cybersecurity incidents on a Form 8-K filing. These publicly available documents typically inform shareholders about major changes to the company — and now they’ll include a new Item 1.05 for cybersecurity incidents. The disclosure should include information on “nature, scope, and timing,” as well as “its material impact or reasonably likely” on the company.
Jun 15“Several” federal government agencies have been breached via the MOVEit vulnerabilities.
Ransomware attacks against Progress Software’s MOVEit Transfer product breached several large organizations recently. Now Eric Goldstein of the US Cybersecurity and Infrastructure Security Agency (CISA) says his department is supporting several federal agencies that have experienced intrusions.
Which ones? What data may have been stolen? The TSA and State Department said “not it” and CISA director Jen Easterly tells CNN she’s confident there won’t be “significant impacts,” but no one’s giving up more details.
Jun 5A security exploit for a file transfer tool is behind data breaches at the BBC, British Airways, and more.
Attackers using an unpatched exploit for Progress Software’s MOVEit Transfer product breached a number of large companies. TechCrunch lists BBC, BA, and Nova Scotia’s government as known victims already.
Microsoft Threat Intelligence linked these to an affiliate of the Clop ransomware group, which TechCrunch notes has previously attacked exploits in other file transfer tools like GoAnywhere, and typically demands payment to not post the stolen records online.