Skip to main content

Filed under:

MOVEit cyberattacks: keeping tabs on the biggest data theft of 2023

Share this story

In May 2023, a ransomware gang called Clop began abusing a zero-day exploit of Progress Software’s MOVEit Transfer enterprise file transfer tool. Progress quickly issued a patch, but the damage was already extensive. Clop’s widespread attack saw it steal data from government, public, and business organizations worldwide, including New York City’s public school system, a UK-based HR solutions and payroll company with clients like British Airways and BBC, and others.

How many others? According to a running tally from Emsisoft, over 2,000 organizations have reported being attacked, with data thefts affecting more than 62 million people. The vast majority of attacks were on US-based entities. Most recently, BORN Ontario, which first reported being attacked in June, revealed that data from newborns and pregnant patients in Ontario, spanning from January 2010 to May 2023, was stolen, affecting on the order of about 3.4 million people.

Progress issued two more patches on June 9th and June 15th, both of which addressed further vulnerabilities that were “distinct” from the original exploit. In both cases, the company’s page announcing those patches says that, while its investigations are ongoing, it doesn’t see any evidence they were used for further attacks.

There has been... so very much legal action after the attacks. Class action lawsuits have been filed against IBM, which ran servers that were breached for multiple organizations, Prudential Financial, Progress Software itself, and others. The MOVEit breach and other high-profile hacks have led to the SEC requiring public companies to issue disclosures within four days of discovering a cybersecurity incident, except when the disclosure could be a national security or public safety risk.

  • Emma Roth

    Nov 10

    Emma Roth

    Maine says MOVEit hackers accessed the information of 1.3 million people.

    The state government disclosed the breach in a notice posted to its website, stating that social security numbers, birthdates, and driver’s license numbers “may have been involved” in the incident:

    On May 31, 2023, the State of Maine became aware of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data. The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine between May 28, 2023, and May 29, 2023.

    It adds that anyone who wants to know whether their data was affected by the breach can contact Maine’s dedicated call center.

  • Emma Roth

    Oct 30

    Emma Roth

    MOVEit hackers accessed around 632,000 government emails last year.

    Last year, the Office of Personnel Management reported a “major hack” that allowed bad actors to view emails from the Department of Defense and the Department of Justice, according to a report from Bloomberg.

    Despite the breadth of the attack, the Office of Personnel Management reportedly said the emails hackers accessed were “generally of low sensitivity” and not classified.

  • Sony confirms server security breaches that exposed employee data

    An illustration featuring the Sony logo.
    Illustration by Kristen Radtke / The Verge

    Sony is sending out notices to some current and former Sony Interactive Entertainment (SIE) employees warning that their personal information was compromised in a system breach that occurred in May. The letters went out to about 6,800 affected individuals, as reported by Bleeping Computer. The publication also received confirmation from Sony that another breach occurred in September.

    A ransomware group known as Cl0p claimed responsibility for breaking into a Sony server in June. The breach occurred via a vulnerability in the file-sending MOVEit Transfer platform that SIE was using. Sony is one of many organizations that have been affected by MOVEit cyberattacks.

    Read Article >
  • Progress Software fixes more bugs attackers are exploiting in its “secure” file-transfer software.

    While attacks like the massive MOVEit breach have spurred regulators to implement new rules around disclosure, Progress Software released a patch for another one of its products last week (via TechCrunch).

    The September 2023 update addresses “multiple vulnerabilities” in its  WS_FTP file-transfer software for enterprise users who need to move data around securely, and as TechCrunch points out, security company Rapid7 reports it’s “observed multiple instances of WS_FTP exploitation in the wild.”

    Progress Customer Community


  • Wes Davis

    Sep 27

    Wes Davis

    The biggest known MOVEit hack leaked the personal information of up to 11 million people.

    Maximus, a company that administers government programs like Medicaid and Medicare, was swept up in the broad MOVEit hacking campaign in May that affected over 2,000 organizations.

    Victims filed a proposed class action lawsuit against the company after the attack, which as TechCrunch noted saw the leak of social security and other sensitive health information for between 8 and 11 million people.

  • Wes Davis

    Sep 27

    Wes Davis

    Over 50,000 students’ data was stolen in a recent MOVEit breach.

    National Student Clearinghouse (NSC), a Virginia-based educational nonprofit, said in a sample data breach notice filed with the California Attorney General that it suffered a MOVEit-related cyber attack on May 30th, reported Bleeping Computer.

    The NSC says in the letter that stolen data may include SSNs and other personal and school-related records. Bleeping Computer writes that 890 schools’ were affected. The organization acknowledges the breach and subsequent patch on its website.

  • Emma Roth

    Jul 26

    Emma Roth

    New SEC rules put a time limit on reporting hacks and data breaches

    Illustration of two smartphones sitting on a yellow background with red tape across them that reads “DANGER”
    Illustration by Amelia Holowaty Krales / The Verge

    Public companies will now have to disclose cybersecurity incidents sooner, thanks to a rule adopted by the Securities and Exchange Commission. Under the new policy, the SEC will require public companies to report data breaches and hacks four business days after they are discovered.

    Companies will have to disclose any cybersecurity incidents on a Form 8-K filing. These publicly available documents typically inform shareholders about major changes to the company — and now they’ll include a new Item 1.05 for cybersecurity incidents. The disclosure should include information on “nature, scope, and timing,” as well as “its material impact or reasonably likely” on the company.

    Read Article >
  • “Several” federal government agencies have been breached via the MOVEit vulnerabilities.

    Ransomware attacks against Progress Software’s MOVEit Transfer product breached several large organizations recently. Now Eric Goldstein of the US Cybersecurity and Infrastructure Security Agency (CISA) says his department is supporting several federal agencies that have experienced intrusions.

    Which ones? What data may have been stolen? The TSA and State Department said “not it” and CISA director Jen Easterly tells CNN she’s confident there won’t be “significant impacts,” but no one’s giving up more details.

    For more information: CISA, Mandiant, Progress.

  • A security exploit for a file transfer tool is behind data breaches at the BBC, British Airways, and more.

    Attackers using an unpatched exploit for Progress Software’s MOVEit Transfer product breached a number of large companies. TechCrunch lists BBC, BA, and Nova Scotia’s government as known victims already.

    Microsoft Threat Intelligence linked these to an affiliate of the Clop ransomware group, which TechCrunch notes has previously attacked exploits in other file transfer tools like GoAnywhere, and typically demands payment to not post the stolen records online.