MOVEit Attack – A Postmortem Through the Prism of External Data Privacy Management
One business organization was breached – more than TWENTY-FIVE HUNDRED (and counting) organizations have been compromised according to TechCrunch as of December 2023 – many received this heart-stopping message:
Hello, this is the CL0P hacker group. As you may know, we recently carried out a hack, which was reported in the news on site [redacted].
We want to inform you that we have stolen important information from your MOVEit MFT resource and have attached a full list of files as evidence.
We deliberately did not disclose your organization and wanted to negotiate with you and your leadership first. If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day. You can read about us on [redacted] by searching for CLOP hacker group.
You can contact us using the following contact information:
unlock@rsv-box[.]com
and
unlock@support-mult[.]com
The above message is a reproduction of the extortion demands being received by an ever-growing number of organizations being victimized by ransomware attacks stemming from the recent and notorious MOVEit breach. No CISO, IT information security chief or chief executive ever wants to receive one of these and they work tirelessly every day to avoid it. Yet, through no fault of their own, thousands have received this letter and seen their data and information systems hijacked for ransom.
Different organizations may respond differently to having their operations held hostage and their data sold on the dark web. Some pay the ransom and hope for the best. Others try all manner of zero-day responses. Whatever course they choose though, two things are inevitably true. One, the long-lasting damage to their business will be severe and two, the pain could have been avoided.
The MOVEit breach of 2023 is a particularly poignant object lesson because it illustrates how a single point of failure in a security regime can metastasize well-beyond the confines of a single organization and draw scores, even hundreds of others into the same world of hurt. More importantly, it reveals how ANY organization can be victimized by a data breach even if the attack is aimed at a completely different, unaffiliated company.
The latest in Privacy Bee’s ongoing series of cyberattack postmortems, this document contains a profile on the victimized organization and a recap of key information about how the attacks were committed. It will also reveal through this real-world example, just how easily a breach affecting a completely unrelated organization can have serious, damaging consequences for your operation and what you can do to protect against it.
Almost always, there is more than one vulnerability exploited by threat actors to successfully effectuate these attacks. There are often multiple failures within the victim organization’s overall infosec strategy which, combined, enable threat actors to achieve their criminal goals. As we’ll see, especially in this case the follow-on consequences of the initial breach grow far worse over time.
This Didn’t Begin with a Privacy Failure but Will End With Thousands More if Left Unsecured
Most of the enormous, costly data breaches and cyberattacks examined by this series were enabled by weak or absent external data privacy protection. A consideration all too frequently overlooked by even the most sophisticated infosec programs, and one which, even in the aftermath of a catastrophic security breach, is still left inadequately addressed. The MOVEit breach however, differs from many others. It was not achieved due to a privacy-related failure. Yet, the role of unsecured external data is central to the mounting damage this initial breach continues to cause. The fortunes of the thousands of organizations are negatively impacted by this one breach – except for those with strong external data privacy practices already in place.
Regardless of how robust an organization’s information security may be, their employees’ data is held in the databases of any number of other businesses, government agencies, social media platforms, user groups, data brokers/people search sites, etc. It is precisely for this reason that standard procedure for any organization serious about infosec should implement best practices for data privacy protection. By minimizing the bulk volume of unsecured external data as a standard operating procedure, organizations can more quickly and effortlessly manage and mitigate the damage inflicted should their employees’ data be exposed in a massive breach like MOVEit.
The Victim Organization
The attack is referred to in popular media as the MOVEit breach, but MOVEit is the name of a managed file transfer software product produced by Ipswitch, Inc. Ipswitch is owned by parent company Progress Software. Progress Software, a mature, publicly traded company founded in 1981 by MIT grads has offices in 16 countries, employs more than 2100 people and recent reporting discloses revenues of more than $600 million.
Progress Software has a diverse portfolio of tech products for web content management, application development, cloud-based data management, several file transfer management products including the breached MOVEit product and numerous others.
For purposes of this postmortem analysis, we will be referring to MOVEit as the ground-zero organization for the attack and corresponding consequences.
The Known Facts of the Attack
On June 07, 2023, the US Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory announcing that the CL0P Ransomware Gang had exploited a vulnerability in the MOVEit file transfer software, potentially exposing all those using MOVEit to data breach.
CISA wrote, “According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.”
The MOVEit software was widely used by multinational business consulting firms like PriceWaterhouseCoopers, Ernst & Young, each with thousands of businesses as clients. MOVEit was used widely in US government agencies like the US Departments of Energy, Defense and others. It was in use by leading energy companies, media organizations, hospitals, healthcare providers, airlines, consumer product companies and many other organizations in many other sectors.
MOVEit was also very widely used in colleges, universities, and higher education organizations worldwide. Below is only a partial list of the well-known organizations – 900 plus – whose data was compromised and many of which were extorted by ransomware threats from the CL0P Ransomware Gang. The sheer volume of this partial list of effected organizations is sobering to scroll through. The full list is presently nearly three times as long and growing.
The US Department Of Energy, – Shell Company, – First National Bankers Bank – Putnam Investments – Datasite – Swizz Insurance Company ‘Okk’ – Leggett & Platt – Multinational Firm Pricewaterhousecoppers(PWC) – Ernst & Young – Health Services Ireland – Bbc – British Airways – Boots Retail – Medibank – Rochester Hospital – Greenshield Canada – Datasite – National Student Clearinghouse – United Healthcare Student Resources – University System Of Georgia – German Brand Heidelberg – Aer Lingus – Government Of Nova Scotia – Johns Hopkins University – Ofcom Britain – Transport For London (TfL) – Ernst And Young – Gen Digital, The Parent Company Of Avast, Norton, Avg, Avira And Lifelock – New York City Department Of Education Attack Impacted About K Students – Siemens Energy – Schneider Electric – Shutterfly.com – Dublin Airport Staff Info Leak, – Allegiant Air – American Airlines – Irelands Commission Of Communications Regulation – Estee Lauder – Sierra Wireless – Bluefin Payment System – TJX Companies – Ventiv Technology – Vitality Group International – University Of Alaska – University Of Colorado – University Of Dayton – University Of Delaware – University Of Idaho – University Of Illinois – University Of Loyola – University Of Missouri – University Of Oklahoma – University Of Rochester – University Of Southern Illinois – University Of Utah – University Of Wake Forest – University Of Washington State – Webster University – PBI Research Service – Teachers Insurance And Annuity Association – Honeywell – American Multi-Cinema Inc Aka AMC Theatres – Warner Bros – Discovery – Raddison Americas – Crowe – Ing Bank – Deutsche Bank – Postbank – Maximus – Serco Inc – Aristocrat – Data Media Associates Aka Dma – Clorox ( Yet To Be Confirmed Officially), – Colorado Department Of Health Care Policy & Financing(HCPF) – UMass Chan Medical School Of Massachusetts Health – Government Of Nova Scotia, Canada – Pole Emploi, France – Flagstar Bank Via Fiserv – State Of Maine list Of Impacted -Schools, Colleges And Universities Are As Follows- – -Academy Of Art University – -Accesslex Institute – -Adams State University – -Adelphi University – -Advanced Technology Institute – -Alamance Community College – -Albertus Magnus College – -Alfred University – -Alice Lloyd College -Allen County Community College -Allen High School -Alliant International University -American Career College -American College Of Healthcare Sciences -Or -American University Of Healthcare Sciences -American University Of The Caribbean -Andrew College -Anna Maria College -Anne Arundel Community College -Antioch University -Aquinas College -Arcadia University -Arizona State University -Arizona Western College -Ascendium -Asheville-Buncombe Technical Community College -Aspen University -Athens State University -Atlantic Cape Community College -Atlantic University College -Auburn University -Baker University -Baldwin Wallace University -Ball State University -Bank Street College Of Education -Baptist Health Sciences University -Bard College -Barton Community College -Baton Rouge Community College -Beaufort County Community College -Belhaven University -Bellarmine University -Bellevue College -Bellevue West High School -Bellin College -Bemidji State University -Bergen Community College -Berry College -Bethune-Cookman University -Big Bend Community College -Bismarck State College -Bladen Community College -Blue Ridge Community And Technical College -Blue Ridge Community College -Bluefield State University -Bluefield University -Boise State University -Brazos Higher Education Authority -Brescia University -Brevard College -Brewton-Parker College -Bridgeport Military Academy -Brigham Young University -Brigham Young University – Idaho -Brookdale Community College -Broward College -Brown University -Brunswick Community College -Buena Vista University -Butler Community College -Caldwell Community College And Technical Institute -Caldwell University -Calhoun Community College -California Baptist University -Undergrads -California Institute Of Integral Studies -California State Polytechnic University Pomona -California State University – Chico -California State University – Dominguez Hills -California State University – Fresno -California State University – Fullerton -California State University – Long Beach -California State University – Los Angeles -California State University – San Bernardino -California State University- Northridge -Camden County College -Cameron University -Campbellsville University -Canada College -Canisius College -Cape Fear Community College -Capital University Columbus -Carl Albert State College -Carl Junction Hs -Carlos Albizu University -Carolina University -Carolinas College Of Health Sciences -Carroll College -Carroll University -Carson-Newman University – -Carteret Community College – -Case Western Reserve University – Castleton University -Cazenovia College -Cecil College -Centier Bank -Central Alabama Community College Central Carolina Technical College -Central Connecticut State University -Central Maine Community College -Central Michigan University – Central New Mexico Community College -Central Piedmont Community College -Central Texas College-Traditional -Centralia College -Centre College -Cfi -Chaffey Community College -Chamberlain University -Chandler/Gilbert Community College -Charter Oak State College -Chattanooga State Community College -Chicago School Of Professional Psychology -Chicago State University -Chippewa Valley Technical College -Citizen’s Bank, Na -City College Of San Francisco -Clark College -Clarkson University -Clayton State University -Clemson University -Cleveland Community College -Cleveland State University -Coahoma Community College -Coastal Carolina Community College -Coastal Carolina University -Cochise College -Coker University -College Of Dupage -College Of Health Care Professions- Houston NW -College Of New Jersey -College Of Saint Rose -College Of San Mateo -College Of Southern Idaho -College Of Southern Nevada -College Of The Albemarle -College Of The Canyons -College Of The Desert -College Of The Holy Cross -College Of The Mainland -College Of The Siskiyous -College Of Western Idaho -Collin County Community College -Colorado Mesa University -Colorado Mountain College -Columbia State Community College -Columbia University -Community College Of Beaver County -Community College Of Philadelphia -Community College Of Rhode Island -Community College Of Vermont -Concord University -Concordia University -Cornell University -Cowley County Community Junior -Craven Community College -Creative Arts Secondary School -Creighton University -Crispus Attucks High School -CUNY Bernard M Baruch College -CUNY Borough Of Manhattan Community College -CUNY Bronx Community College -CUNY Brooklyn College -CUNY City College -CUNY College Of Staten Island -CUNY Graduate School And University Center -CUNY Hostos Community College -CUNY Hunter College -CUNY John Jay College Of Criminal Justice -CUNY Kingsborough Community College -CUNY LaGuardia Community College -CUNY Lehman College -CUNY Medgar Evers College -CUNY New York City College Of Technology -CUNY Queens College -CUNY Queensborough Community College -CUNY York College -Cuyahoga Community College -Cuyamaca College -Dallas Theological Seminary -Dartmouth College -Davidson College -Davidson-Davie Community College -De Anza College -Delaware County Community College -Delaware Technical And Community – Terry -Delaware Valley University -Delgado Community College -Delta College -Des Moines Area Community College -DeVry University -Divine Mercy University -Doane University -Dominican University New York -Dordt University -Drake University -Drew University -Drury University -Dunwoody College Of Technology -Durham Technical Community College -Dyersburg State Community College -D’youville University -East Stroudsburg University -East Tennessee State University -Eastern Gateway Community College -Eastern Iowa Community College District -Eastern Mennonite University -Eastern New Mexico University -Eastern Oklahoma State College -Eastern University -Eastern Washington University -ECPI University -Edgecombe Community College -Edmonds College -Education Investment -Educational Credit Mgt Corporation -EFP Warehouse Funding -LLC -Ellsworth Community College -Elmhurst University -Embry-Riddle Aeronautical University – Daytona -Emmanuel University -Emory University -Empire State University -Emporia State University -Endicott College -Enterprise State Community College -Erikson Institute -Essex County College -Estrella Mountain Community College -Everett Community College -Fairfield University -Fairleigh Dickinson University – Teaneck -Faulkner University -Fayetteville State University -Fayetteville Technical Community College -Felician University -Fielding Graduate University -Finance Authority Of Maine -Firstmark Serviced Trust -Firstmark Services -Fitchburg State University -Fletcher Technical Community College -Florence-Darlington Tech College -Florida College -Florida Gateway College -Florida Institute Of Technology -Florida International University -Florida Southern College -Florida State College At Jacksonville -Fond Du Lac Tribal And Community College -Foothill College -Fordham University -Forsyth Technical Community College -Franklin Pierce University -Fresno City College -Fresno Pacific University -Frontier Nursing University -Full Sail University -Gadsden State Community College -Galen College Of Nursing -Gaston College -Gateway Community College -Gateway Community College -George C Wallace Community College -George Fox University -George Mason University -George Washington High School -George Washington University -Georgetown University -Georgia Gwinnett College -Georgia Highlands College -Georgia Institute Of Technology -Georgia State University -Goddard College -Golden West College -Goldman Sachs Bank Usa -Gonzaga University -Gordon-Conwell Theological – Hamilton -Grambling State University -Grand Canyon University-Traditional -Grand Rapids Community College -Great Basin College -Greenville Technical College -Greenville University -Grossmont College -Guilford Technical Community College -Gulf Coast State College -Gwynedd Mercy University -Halifax Community College -Harrisburg University Of Science And Technology -Harris-Stowe State University -Hartwick College -Harvard University -Haywood Community College -Heartland Community College -Hennepin Technical College -Henry Ford College -Highland Community College -Hill College -Hillsborough Community College -Hood Theological Seminary -Horn High School -Horry-Georgetown Technical College -Housatonic Community College -Howard Community College -Howard University -Hudson County Community College -Hutchinson Community College -Icahn School Of Medicine At Mount Sinai -Illinois College -Illinois Eastern C C -Illinois Student Assistance Commission -Independence Community College -Indian Hills Community College -Indiana Wesleyan University -Inter American Univ Of Puerto Rico -Inter American Univ Of Puerto Rico Bayamon Campus -Inter American Univ Of Puerto Rico- Law -Inter American Univ Of Puerto Rico- Metro Campus -Interdenominational Theological -Inver Hills Community College -Iona University -Iowa Central Community College -Iowa State University -Iowa Western Community College -Irvine Valley College -Isothermal Community College -J F Drake State Technical College -Jackson College -Jackson State Community College -Jackson State University -James Madison University -James Sprunt Community College -Jefferson College -John Brown University – Main Campus -John Carroll University -Johnston Community College -Kean University -Kellogg Community College -Kennesaw State University -Kent State University -KeyBank National Association -King’s College -Kirkwood Community College -Klamath Community College -Lagrange College -Lake Erie College Of Osteopathic -Lake Forest Graduate School Of Management -Lake Superior State University -Lakeshore Technical College -Lake-Sumter State College -Lane College -Laramie County Community College -Le Moyne College -Lebanon Valley College -Lehigh Carbon Community College -Lehigh University -Lenoir Community College -Letourneau University -Lewis-Clark State College -Liberty High School -Limestone University -Lindenwood University -Lone Star College System District -Long Island University -Longwood University -Louisiana Christian University -Louisiana Delta Community College -Louisiana State University – Shreveport -Louisiana State University At Alexandria -Loyola Marymount University -Loyola University Chicago -Loyola University In New Orlean -Lynn University -Macomb Community College -Manchester Community College -Manhattan Area Technical College -Manhattan College -Manhattanville College -Maria College -Marian University -Marian University -Marquette University -Marshall University Huntington -Marshalltown Community College -Martin Community College -Maryland University Of Integrative Health -Marywood University -Massachusetts Maritime Academy -McDowell Technical Community College -McHenry County College -McLennan Community College -McNeese State University -Medaille University -Merced College -Mercy College Of Ohio -Meredith College -Mesabi Range College -Methodist University -Metropolitan Community College -Metropolitan State University -Mgt Institute Of Health Professions -Miami University -Michigan Finance Authority -Michigan State University -Michigan Technological University -Mid America Christian University -Mid Michigan College -Mid Plains Community College -MidAmerica Nazarene University -Middlesex College -Middlesex Community College -Midland University -Midway University -Mildred Elley School -Millikin University -Millsaps College -Milwaukee Area Tech College -Milwaukee Lutheran High School -Minnesota Office Of Higher Education -Minnesota State University – Mankato -Minnesota State University Moorhead -Mississippi College -Missouri State University -Missouri University Of Science And Technology -Mitchell Community College -Moberly Area Community College -Modesto Junior College -Molloy University -Monroe College -Monroe Community College -Montclair State University -Monterey Peninsula College -Montreal College -Morehead State University -Mount Marty University -Mount Mary University -Mount Saint Mary College -Mount St Mary’s University -Mpower Financing -Muhlenberg College -Muskegon Community College -Mycomputercareer At Columbus -Nash Community College -Nashville State Community College -Nassau Community College -National Student Loan Program -National University -Ncmslt I -Nelnet Bank, Inc -Nelnet Inc -Neumont College Of Computer Science -Nevada State University -New England College – Semesters – Dayo -New England College Of Optometry -New Jersey Institute Of Technology -New Mexico State University-Main -New Mexico Student Loans -New York College Of Health Professions -New York Institute Of Technology- Old Westbury -New York University -Niagara County Community College -Nichols College -Nightingale College -Norfolk State University -Normandale Community College -North Carolina Central University -North Carolina State University -North Carolina Wesleyan College -North Central Texas College -North Central University -North Florida College -North Hennepin Community College -North Idaho College -North Iowa Area Community College -North Seattle College -North Shore Community College -Northcentral University -Northeast Iowa Community College -Northeastern State University -Northeastern Technical College -Northern Arizona University -Northern Kentucky University -Northern Michigan University -Northern Oklahoma College -Northland Community And Technical College -Northstar Education Finance, Inc -Northwest Missouri State University -Northwestern State University -Northwestern University -Norwalk Community College -Norwich University -Od Wyatt High School -Oakwood University -Ocean County College -Oglethorpe University -Oklahoma City University -Oklahoma State University – Stillwater/Tulsa -Olathe East High School -Old Dominion University -Olivet Nazarene University Ug -Oregon Institute Of Technology -Osceola County School For The Arts -Osceola High School -Our Lady Of The Lake University Of San Antonio -Oxnard College -Pace University -Pacific Western Bank -Palmer College Of Chiropractic -Pamlico Community College -Panhandle Plains Perkins -Paradise Valley Community -Park Hill High School -Park University -Pasadena City College -Passaic County Community College -Paul Smith’s College -Payne Theological Seminary -Peirce College -Pellissippi State Community College -Peninsula College -Pennsylvania Western University -Pensacola State College -Philadelphia College Of Osteopathic Medicine -Piedmont Community College -Piedmont University -Pierce College -Pima Community College -Pitt Community College -Plaza College -Point University -Pomeroy College Of Nursing At Crouse Hospital -Pontifical Catholic University Of Puerto Rico -Post University -Prairie View A&M University -Presbyterian College -Prescott College -Prism Career Institute -Purdue University – West Lafayette -Purdue University Global -Purdue University Northwest -Queens University Of Charlotte -Quincy College -Quinnipiac University -Radford University -Ramapo College Of New Jersey -Randolph College -Randolph Community College -Redeemer University -Regis College -Rend Lake College -Rhode Island School Of Design -Rice University -Richmond Community College -Rio Salado College -River Parishes Community College -Riverside City College -Roanoke College -Robeson Community College -Rochester Community And Technical College -Rock Valley College -Rockhurst University -Rockingham Community College -Rocky Mountain College Of Art And Design -Rogue Community College -Roseman University Of Health Sciences -Rowan-Cabarrus Community College -Rutgers -The State University Of Nj -New Brunswick -Saddleback College -Saint Augustine’s University -Saint John’s University -Saint Joseph’s College Of Maine -Saint Louis University -Saint Mary’s Univ Of Minnesota -Saint Paul College -Saint Peter’s University -Saint Thomas Aquinas College -Salus University -Samaritan Hospital School Of Nursing -Samuel Merritt University -San Bernardino Valley College -San Diego Mesa College -San Diego Miramar College -San Diego State University -San Francisco State University -San Jose State University -San Juan College -Sandhills Community College -Santa Ana College -Santa Fe Community College -Santa Monica College -Savannah State University -Saybrook University -School Of Visual Arts -Scottsdale Community College -Seattle Central College -Seattle University -Seton Hill University -Seward County Community College -Shasta College -Shaw University -Shawnee Community College -Shawnee State University -Shorter University -Sienna College -Sierra College -Simmons University -Skyline College -Slf V- Trust -Snow College -South Carolina Student Loan Corporation -South Dakota State University -South Piedmont Community College -South Seattle College -Southeast Community College – Lincoln -Southeast Missouri State University -Southeastern Community College -Southern Baptist Theological Seminary -Southern Connecticut State University -Southern Maine Community College -Southern Union State Community College -Southwest College Of Naturopathic Med & Health Sciences -Southwestern Assemblies Of God University – Southwestern Community College – Southwestern Oklahoma State University – Southwood Financial LLC – Splash Financial – Spokane Community College – Spokane Falls Community College – Spring Arbor University – St Ambrose University – St Charles Community College – St Clair County Community College – St Cloud State University – St John Fisher University – St Johns River State College – St Joseph’s University – St Joseph’s University- Brooklyn – St Louis Community College – St Mary’s College Of California – St Mary’s University – St Olaf College – St Peter’s Hospital College Of Nursing – St Thomas University – Stanford Federal Credit Union – Stanford University – Stanly Community College – State University Of New York New Paltz – Stephen F Austin State University – Stetson University – Stonehill College – Student Loan Acquisition Trust – – Sullivan University – Suny Adirondack Comm Coll – Suny Binghamton – Suny Broome Community College – Suny Cobleskill – Suny College – Cortland – Suny College – Old Westbury – Suny College Of Environmental – Suny College Of Technology At Canton – Suny Columbia-Greene Community College – Suny Downstate Health Science Center – Suny Farmingdale – Suny Fashion Institute Of Technology – Suny Finger Lakes Community College – Suny Herkimer County Community College – Suny Jamestown Community College – Suny Mohawk Valley Community College – Suny Onondaga Community College – Suny Orange County Community College – Suny Polytechnic Institute – Suny Rockland Community College – Suny Stony Brook University – Suny Suffolk County Community College – Suny Sullivan Co Community Clg – Suny Tompkins Cortland Community College – Suny University – Brockport – Suny University At Albany – Suny Upstate Medical University – Suny Westchester Community College – Surry Community College – Sussex County Community College – Tacoma Community College – Tarleton State University – Tarrant County College – Temple College – Temple University – Texarkana College – Texas A And M International University – Texas A And M University Kingsville – Texas Christian University – Texas State Technical College – Waco – Texas Woman’s University – The Catholic University Of America – The Master’s University – The New School – The University Of Alabama In Huntsville – The University Of Olivet – The University Of Tennessee Southern – The University Of Tulsa – Three Rivers College – Tiffin University – Touro University – Touro University California – Touro University Worldwide – Towd Point Asset Grantor Trust -Sl – Trellis Company – Tremper High School – Trevecca Nazarene University – Tri-County Technical College – Trinity International University – Triton College – Trocaire College – Truman State University – Tufts University – Tuskegee University – Tyler Junior College – Uc Law San Francisco – UEI College- Fresno – Umb Sl Trust I – Union Bank And Trust Company – Union College Of Union County New Jersey – Union Presbyterian Seminary – United Education Institute- Huntington Park Campu – United States Naval Academy – United States Sports Academy – United States University – Unity Environmental University – Universidad Ana G Mendez Recinto De Carolina – Universidad Ana G Mendez Recinto De Cupey – Universidad Ana G Mendez Recinto De Gurabo – Universidad Del Sagrado Corazon – University Accounting Service – University Of Akron – University Of Alabama – University Of Alabama Birmingham-Traditional – University Of Alaska – Fairbanks – University Of Alaska Anchorage – University Of Arizona – University Of Arkansas – Fort Smith – University Of Bridgeport – University Of California-Los Angeles – University Of Central Missouri – University Of Central Oklahoma – University Of Cincinnati – University Of Colorado Boulder – University Of Colorado Colorado Springs – University Of Colorado Denver – University Of Connecticut – University Of Dayton – University Of Detroit Mercy – University Of Florida – University Of Hartford – University Of Holy Cross – University Of Idaho – University Of Illinois At Chicago – University Of Illinois At Urbana – University Of Indianapolis – University Of Kansas – University Of Kentucky – University Of La Verne – University Of Louisiana – Monroe – University Of Louisville – University Of Lynchburg – University Of Mary Washington – University Of Memphis – University Of Miami – University Of Michigan – University Of Michigan Dearborn – University Of Michigan Flint – University Of Missouri-Columbia – University Of Missouri-Kansas City – University Of Missouri-St Louis – University Of Mobile – University Of Montevallo – University Of Mount Olive – University Of Nevada Las Vegas – University Of Nevada-Reno – University Of New Haven-Semesters – University Of New Mexico – University Of New Orleans – University Of North Alabama – University Of North Carolina Asheville – University Of North Carolina-Greensboro – University Of North Carolina-Pembroke – University Of North Dakota – University Of North Texas – University Of Northwestern Ohio College Of Business – -University Of Oklahoma – University Of Phoenix – University Of Pittsburgh – University Of Providence – University Of Puerto Rico-Ponce – University Of Richmond – University Of San Francisco – University Of Science And Arts Of Oklahoma – University Of South Dakota – University Of St Thomas – University Of Tampa – University Of Tennessee – University Of Tennessee – Martin – University Of Tennessee Chattanooga – University Of Texas Arlington – University Of Texas Rio Grande Valley – University Of The District Of Columbia – University Of The Incarnate Word – University Of The Pacific – University Of The Southwest – University Of The Virgin Islands – University Of West Alabama – University Of West Georgia – University Of Wisconsin – La Crosse – University Of Wisconsin – Milwaukee – University Of Wisconsin – Oshkosh – University Of Wisconsin – Platteville – University Of Wisconsin – Stevens Point – University Of Wisconsin – Stout – University Of Wisconsin – Whitewater – University Of Wisconsin- Green Bay – Upper Iowa University – Us Bank National Association – Utah State University – Utica University – UW Credit Union – Valley Forge Military College – Valparaiso University – Vance-Granville Community College – Vanderbilt University – Veritas Doctrina Loan Trust – Vermont Student Assistance Corp – Villanova University – Virginia Commonwealth University – Virginia Military Institute – Virginia Polytech And State Univ – Wagner College – Wake Forest University – Wake Technical Community College – Walden University – Wartburg College – Washington State University – Waukesha County Technical College – Wayne Community College – Wayne State College – Webster University Semester – Welch College – West Coast University- North Hollywood – West Shore Community College – West Texas A And M University – West Valley College – West Virginia State University – West Virginia University – Western Carolina University – Western Connecticut State University – Western Governors University – Western Iowa Tech Community College – Western Kentucky University – Western Michigan University Thomas M Cooley Law – Western Nevada College – Western New England University – Western Oklahoma State College – Western Piedmont Comm Coll – Western University Of Health Sciences – Westmont College – Westmoreland County Community College – Whatcom Community College – Wichita State University – Wilkes Community College – Wilkes University – William And Mary – William Paterson University Of New Jersey – Wilson College – Wilson Community College – Wingate University – Winona State University – Wisconsin Lutheran College – Wor-Wic Community College – Xavier University Of Louisiana – Yuba Community College
The Initial Consequences of the Attack
At the time the above list was compiled, the CL0P gang was suspected of having collected more than $100 million in ransom from this long list of victims. That number has surely doubled or more as the nearly 900 organizations above have been joined by at least 1500 more and counting according to a year-end recap published by TechCrunch who called the MOVEit attack the most devastating of 2023. Claiming more than 2600 organizations as victims, approximately 84 million individuals had their personal data exposed as of the end of 2023. The damage of this attack is significant and continues to grow.
A small sampling of the exponential damage wrought upon MOVEit customer businesses as a result of the initial breach illuminates just how massive the damage is to the privacy of tens (or perhaps ultimately hundreds) of millions.
This is Bad: The Centers for Medicare & Medicaid Services issued a press release near the end of 2023. In it, CMS discloses that one of its contractors serving the Medicare program (Maximus Federal Services) was impacted by the breach. The Personally Identifiable Information or PII of 330,000 Medicare recipients has been compromised. CMS and Maximus are sharing the cost associated with providing credit monitoring services to all three hundred thirty thousand affected persons for TWO YEARS! No small sum and a certain drain on profitability.
This is Worse: The HIPAA Journal reports on the expanding number of individuals whose sensitive personal data including birth dates, drivers’ license numbers and Social Security numbers were compromised when healthcare systems using MOVEit file transfer software were stolen. In the state of Maine alone, more than 1.3 million individuals were affected, many of them employees of the state departments of Health and Human Services and Education.
The Journal’s report also includes information on other healthcare industry victims including Greater Rochester (NY) Independent Practice Association, California’s Tri-City Medical Center, on the Optum Medical Group’s Crystal Run Healthcare system in Middletown, NY.
Altogether, these few healthcare organizations’ exposure totals more than 3 million individual records. TechCrunch shares another four million individuals’ personal health records were stolen from the Colorado Department of Health Care Policy and Financing.
This is Downright Terrifying: The consequences of so much PII falling into malevolent hands are scary enough when it comes to the potential for this data to be used to steal identities, money, intellectual property or trade secrets. But it is even more frightening when the stolen data is relevant to issues of national security.
Reporting from Bloomberg revealing more than 630,000 email addresses were exposed from US Departments of Justice and Defense is chilling. While the Cl0p hacker collective is only interested in selling the stolen data for money, foreign adversaries and hostile threat actors are much more likely to purchase the information to use in the deployment of attacks on US military and intelligence forces around the world.
This can have truly deadly ramifications for those serving in our defense and foreign services operations around the world. Tom Kellermann, SVP of Cyber Strategy at Contrast Security, told Spiceworks, “Federal agencies have also been impacted. This is a systemic attack, and CISA has mobilized resources. I feel that this is a harbinger of cyberwar with Russia.” Governments must surely adopt data privacy practices to ensure national security.
Regardless of one looks at it, the potential for harm derived from this one attack are dire financially and could even prove fatal. Savvy organizations are not waiting to find their name amongst the list of compromised data pools in the next big data breach. And the MOVEit breach surely won’t be the last such attack. Smart money is moving to secure all its employees’ and vendor employees’ external data. So that when the next inevitable breach occurs, it will be very easy to locate and remove the stolen data. This is because data privacy management is a discipline that works best when applied on an ongoing basis.
For details on how continuity of effort ensures the best outcomes in data privacy management, read the Privacy Bee White Paper, “How to Stop Data Brokers? Continuity is Critical”.
The Attack Vector and EDP
IT industry marketplace and media outlet Spiceworks notes the chilling reality about this hack which underscores the importance of the solution Privacy Bee proposes. Quoting Erich Kron, a well-regarded security awareness advocate, Spiceworks writes, “[Hacker group] Cl0p has really made a name for itself in 2023 through their approach of simple extortion, rather than going through the trouble of encrypting the files on the victims’ network. Cl0p has proven that there is a great deal of value in simply stealing data and threatening to release it.”
This fact reveals the primary value of the raw data which is already routinely used by hackers and threat actors to craft specialized, highly targeted spear phishing and other social engineering attacks. Typically directed at the highest of high value targets, spear phishing and similar attacks can be used to accomplish very specific goals. Whether that is the theft of funds, theft of intellectual property, physical attacks on specific individuals or governments, etc., there already exists a vibrant market for personal data. The Data Broker and People Search Site industries are the more legitimate outlets where personal data can be purchased and used to mount attacks. Dark web and other online black markets are also a favorite place for bad actors to purchase unsecured personally identifiable information for the same purposes.
It has not been definitively determined whether or not unsecured data was used to perpetrate the initial SQL injection attack that provided the initial access to the MOVEit systems. Regardless, the objective of this attack was always to hold hostage the data of millions of individuals. The value of this data is evident.
Customers must not grow overly reliant on the claims of security made by the software vendors they engage. Maintaining strong data hygiene practices, data privacy protection protocols and other best practices (such as quickly removing transferred files from the transfer servers after transmission) can help decrease the potential for data exfiltration in case of a breach
Experts have determined that the initial SQL injection exploited a vulnerability – an unsecured administrative interface – resulting in an unauthenticated user being able to leverage the vulnerability and gain high-level access to data stored on the servers there.
It has also been noted that many end-users of the MOVEit file transfer software bear some responsibility for their predicament as well. Customers must not grow overly reliant on the claims of security made by the software vendors they engage. Maintaining strong data hygiene practices, data privacy protection protocols and other best practices (such as quickly removing transferred files from the transfer servers after transmission) can help decrease the potential for data exfiltration in case of a breach.
The Longer-Term Consequences of the Attack
Each of the thousands of companies having their data held for ransom due to the MOVEit failure will likely be paying significant sums to the hackers. Those that can’t or won’t will likely spend significantly on public relations and remediation processes like offering identity theft protection to the hundreds or even thousands of their customers whose data was involved in the breach. The reputational damage is long-tail and more difficult to quantify, but it definitely has a negative effect on operations and profitability. The extent of that damage is a matter of hot debate.
A Snowball Effect of Stolen Data Fueling the Next Attacks
All industry watchers agree though, that the parties facing the worst consequences of the MOVEit breach are the millions (85 million at last check and rising) of individuals whose private data is being sold on the black market as a result of this crime. Each of those individuals’ data can be used by hackers to produce spear phishing and other social engineering attacks. These attacks can certainly result in singular losses for the individual to petty scams.
Yet, more ominously, the stolen data can be used to isolate top executives and others with positions of influence and authority. The same data is then used to produce phishing schemes targeting the large and wealthy organizations where these targets work. As a result, the cycle of data theft and privacy breach is perpetuated. Today’s stolen data is the fuel for tomorrow’s spate of new high-profile data breaches.
The Exit of Insurers Covering Data Breach Liabilities
For its part, as the initial victim and first domino to fall in this unprecedented attack and security failure, Progress Software faces perhaps an existential threat. In October of 2023, months after the breach was revealed, the company filed its 10-Q quarterly filings with the Securities and Exchange Commission. At that point (three months before the writing of this paper) costs related to the MOVEit cyberattack had already grown close to $3 million. While Progress’s insurance coverage softened the blow, the worst may still be yet to come. Already, one of Progress Software’s insurers has filed a subrogation claim seeking recovery of the expenses incurred by the MOVEit attack. And, according to Cybersecurity Dive nearly 60 class-action lawsuits have already been launched by parties claiming harms endured because of their data being stolen from MOVEit customers’ environments.
Progress Software still reports in SEC filings that they still have millions of dollars’ worth of insurance coverage remaining to address claims. However, as will be discussed in the “Longer-Term Consequences” segment below, this may not be enough and future ability to retain coverage may be in question.
Moreover, as these types of massive liability claims continue to rise, insurers may decide they simply cannot sustain the risk associated with offering coverage for this type of peril. It could become impossible for any organization to retain coverage against losses stemming from an attack like the MOVEit breach.
What’s more likely is that the insurance industry – together with the evolving regulatory frameworks emerging from governments across the states, nation and globe – will set standards and regulations to which all organizations must comply. This is already happening in a regulatory sense and many large enterprise organizations are building external data privacy protection requirements into their Governance, Risk, and Compliance (GRC) documents. Strong GRC documentation is becoming more frequently required in the procurement processes of enterprises and government organizations.
For more about GRC and unsecured external data risk, read white paper, “The Shortcomings of Third-Party Risk Management and How to Get it Right for Your Organization”.
External Data Privacy Management
Subsequent to a massive breach like the MOVEit breach, millions of affected individuals – personally and professionally – will engage in cleanup. Changing/updating passwords and taking other measures to protect themselves and their organizations from the next attack. Even if your organization wasn’t one of the 2500+ and growing list of organizations impacted by the MOVEit breach or not, the chances are high that hackers using the data exposed by Cl0p will target you next. Although there is no way to fully eliminate the threat, the very best thing they can do to make themselves far less likely to be victimized again is to beef up their external data privacy.
Avoiding social engineering attacks and the resulting data breaches depends on securing external data privacy. This means scrubbing the external data of all relevant employees (both internal and third party) from the many sources of PII available. As noted earlier in this document, continuity of engagement when it comes to securing external data is the key to being able to quickly remediate any unauthorized data exfiltration. Getting ahead of the hackers and threat actors means removing identifiable information that can be used to generate phishing and other scams from hundreds of data brokers, people search sites and public data sources so that if and when these data are released, they are conspicuous and more quickly removed. Having such practices and processes in place may sound like an insurmountable task. But it is achievable, and it is truly the only way to protect against falling victim. Privacy Bee for Business is a leader in delivering EDPM solutions that are proven effective at reducing the digital attack surface and adding the necessary data privacy layer of protection atop the rest of the traditional information security practices already widely in use.
It is recommended that all organizations avail themselves of these easy to deploy scans and metrics to determine their existing level of vulnerability when it comes to EDPM.
Privacy Bee’s Employee Risk Management (ERM) is an easy but powerful way to get visibility into your External Data Privacy risk. After just a few minutes to load and configure your employees (usually an exported CSV from your HCM software), Privacy Bee automatically begins scanning hundreds of external sources, searching for any exposed privacy risks on each employee. Any discoveries are flagged as an exposure and affect that person’s aggregated Privacy Risk Score.
ERM helps quickly paint a full picture of an organization’s real-time cyber risk from external privacy exposures. This privacy intelligence platform is 100% free for all businesses, powered by Privacy Bee.
Privacy Bee’s External Data Privacy Audit another web-based privacy app for quickly and easily scanning employees PII exposure. This tool set lets you build an extensive audit, identifying privacy exposures and vulnerabilities, then extrapolates potential financial impact across your company. It’s a critical view into risk assessment, operational inefficiencies, emerging cyber risk, and External Data Privacy Management.
The EDPA provides unified employee audits, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Delivering a centralized view into public employee exposures, and insight into the tangible financial impact it has within your organization.
Privacy Bee’s Vendor Risk Management (VRM) extends the privacy bubble to targets outside your organization but who may have a degree of access to your sensitive information systems – including software providers and/or contract development resources. This solution evaluates all your vendor/partner organizations for Electronic Data Privacy risks. It then reports simple Privacy Risk Scores on each company, highlighting each vendor’s risk at a glance. Analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable. While most vendor risk software stops at the report, Privacy Bee VRM keeps going, offering to work with all your 3rd party vendors 1-on-1 to decrease their vulnerabilities, effectively de-risking your company.
While all these (and other) audits and monitoring services are for use at no cost, removing employee PII from all unsafe locations on the net is what reduces the risk and the attack surface. While this is a function your organization could take on as an internal activity, most organizations prefer to outsource the removal service for your employees and vendors identified as at risk to Privacy Bee. Privacy Bee has teams of experts working 24x7x365 to scrub client employees’ PII from all unsafe corners of the internet.
Putting EDP solutions like these in place does more to protect against being victimized by threat actors from the outset. And while they are useful as a restorative, to clean up the messes after a breach has occurred, it is best to deploy them from the outset so as to avoid becoming the next high-profile victim.
Speak with Privacy Bee to discuss the External Data Privacy Management at your company.
