Count of Organizations Affected by MOVEit Attacks Hits 637Breach Notifications Say Over 41 Million Individuals' Personal Information Exposed
At least 637 organizations have confirmed they were affected by the zero-day attack on MOVEit file-transfer servers that began in late May.
That count, reported Thursday by German cybersecurity firm KonBriefing, includes organizations whose MOVEit servers were accessed as well as organizations affected indirectly because they work with one or more organizations that use the file-transfer tool built by Progress Software.
As a result of its attacks, the Russian-speaking Clop ransomware group has stolen data that includes personal details for at least 41 million individuals, based on the data breach notifications issued so far by affected organizations, reported security firm Emsisoft.
The number of individuals known to be affected is set to rise, as many organizations appear to be still probing the incident. They include Missouri's Department of Social Services.
In a Tuesday data breach notification, the state agency said personal information for the state's Medicaid users appears to have been stolen from service provider IBM's MOVEit server.
"DSS was able to obtain a copy of the files believed to have been accessed and we are still analyzing the contents of those files," it said. "Due to the size and formatting of the files, it will take some time to complete this analysis."
Anyone who may have been affected is being notified by DSS, so they can watch for signs of identity theft. The agency has promised to again contact anyone who it determines is definitely a victim. "The information involved in this incident may include an individual's name, department client number, date of birth, possible benefit eligibility status or coverage, and medical claims information," DSS said.
Clop Likely Timed Attack for US Holiday
Clop unleashed its highly automated mass attack around May 27, likely timed to take advantage of the U.S. Memorial Day holiday weekend. How the group came into possession of a zero-day vulnerability in Progress Software's software remains unknown. This is the fourth time Clop has targeted users of file-transfer tools via a mass attack.
Progress first publicly disclosed and patched the SQL vulnerability, tracked as CVE-2023-34362, on May 31.
Multiple organizations fell victim to the MOVEit attacks not directly but due to their use of service providers. In addition to Missouri's DSS, they include National Student Clearinghouse, which works with more than 3,500 colleges and universities in the U.S. and which has data on 17.1 million current postsecondary students.
Another widely used service provider and MOVEit user is PBI Research Services, which helps financial services firms comply with regulatory requirements, including identifying policyholders who are deceased as well as their beneficiaries.
Ransomware incident response firm Coveware estimated that Clop may have earned $75 million to $100 million via a few very large ransom payments from bigger victims in the early days of its campaign.
In June, Clop began posting to its data leak site the names of victims who declined to pay a ransom. The group has also been leaking data it stole from some organizations, although it claims to have deleted any information it stole from government entities.
Top 10 Organizations With Most Victims
|Maximus Inc.||8 million to 11 million|
|Louisiana's Office of Motor Vehicles||4.6 million to 6 million|
|Oregon Driver & Motor Vehicle Services||3.5 million|
|Teachers Insurance and Annuity Association of America*||2.63 million|
|Genworth*||2.5 million to 2.7 million|
|Performance Health Technology||1.7 million|
|Wilton Reassurance Co.*||1.48 million|
|Milliman Solutions LLC*||1.28 million|
|F&G Annuities & Life/Fidelity & Guaranty Life Insurance Co.*||873,000|
Sometimes data gets leaked via Clop's own dark web site. In other cases, the group has released stolen data via BitTorrent files. While these are decentralized and difficult to shut down, it's not clear how widely seeded and thus available they might be.
In some cases, Clop has also created dedicated websites for hosting the stolen data - notably for Aon, EY, Kirkland and TD Ameritrade - although these remained online for very little time, Bleeping Computer reported. Whether these sites were knocked offline via law enforcement action, legal takedown notices or distributed denial-of-service attacks isn't clear.
In recent days, Clop has threatened to dump all stolen information for victims who didn't pay a ransom, starting on Tuesday. "You data is going to publishing on clearweb and Tor and for large company we also create clearweb URL to help google index you data," Clop threatened in grammatically challenged English on its Tor-based leak site. "Also all data go on torrent and speed of download is very quick. You not hiding more."
Based on Clop's previous practical challenges with leaking so much stolen information, its latest claims may be empty bravado.
Victims of the MOVEit campaign have collectively filed multiple federal lawsuits seeking class action status against breached organizations.
In late June, residents of Louisiana who fell victim when their data was stolen from the state's Office of Motor Vehicles, filed a lawsuit against New Bedford, Massachusetts-based Progress Software. Plaintiffs accused the vendor of failing "to properly secure and safeguard" individuals' personal data, leaving them at increased risk of identity theft.
Last month, plaintiffs filed two lawsuits against Johns Hopkins University and its Johns Hopkins Health System, seeking monetary damages and injunctive relief requiring the organization to improve its security practices.
Members of the California Public Employees Retirement System - aka CalPERS - filed a lawsuit against CalPERS service providers Pension Benefit Information - aka PBI Research Services - and The Berwyn Group.
Similar lawsuits have been filed in recent days against other organizations that used MOVEit and were hit by Clop, including the Teachers Insurance and Annuity Association of America or TIAA, the University of Rochester and Maximus Federal Services.
Aug. 11, 2023 07:30 UTC: This story has been updated to include the latest count of affected organizations and victims from KonBriefing and Emsisoft.