Fraud Management & Cybercrime , Ransomware , Security and Exchange Commission compliance (SEC)

BlackCat Gang Tattles to SEC About Victim Not Disclosing Breach

Ransomware Group Says MeridianLink Didn't Tell SEC About Cyberattack Within 4 Days
BlackCat Gang Tattles to SEC About Victim Not Disclosing Breach
The BlackCat/Alphv ransomware gang tattled to the U.S. Securities and Exchange Commission about a ransomware attack. (Image: Shutterstock)

The notorious BlackCat ransomware group tattled to U.S. federal regulators about an alleged victim not disclosing a material cyberattack within four business days.

See Also: 2023 Ransomware Preparedness: Key Findings, Readiness and Mitigation

The ransomware gang - also known as Alphv - listed financial services software developer MeridianLink on its data leak site Wednesday and threatened to leak stolen data unless it receives a ransom within 24 hours. BlackCat said it had compromised MeridianLink's systems on Nov. 7 and exfiltrated files without actually encrypting them.

"MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago," BlackCat wrote on its leak site Wednesday. "We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission."

The SEC adopted a rule in July that requires publicly traded companies such as MeridianLink to disclose most "material cybersecurity incidents" within four business days of determining materiality. The disclosure rule will start being enforced in mid-December for larger businesses and in mid-June for smaller publicly traded companies (see: SEC Votes to Require Material Incident Disclosure in 4 Days).

The company's stock is down $0.03 - or 0.16% - to $18.52 per share. In an emailed statement, a company spokesman said a forensics investigation so far has shown "no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption."

The SEC did not immediately respond to a request for comment. BlackCat's actions were first reported by

The ransomware group published a screenshot of the form it had filled out on the SEC's tips, complaints and referrals page. It told the SEC that MeridianLink had suffered a "significant breach" and did not disclose it as required, and it posted proof to its data leak site showing that its submission had been received by federal regulators.

This is believed to be the first time a ransomware operator has attempted to get its victim in trouble with the SEC, although other groups have threatened to report breaches to regulators (see: Tattletale Ransomware Gangs Threaten to Reveal GDPR Breaches).

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.