Fraud Management & Cybercrime , Incident & Breach Response , Ransomware

Count of Organizations Affected by MOVEit Attacks Hits 637

Breach Notifications Say Over 41 Million Individuals' Personal Information Exposed
Count of Organizations Affected by MOVEit Attacks Hits 637
Image: Shutterstock

At least 637 organizations have confirmed they were affected by the zero-day attack on MOVEit file-transfer servers that began in late May.

See Also: How to Hunt Threats Like Elite Defenders with Open NDR + MITRE ATT&CK®

That count, reported Thursday by German cybersecurity firm KonBriefing, includes organizations whose MOVEit servers were accessed as well as organizations affected indirectly because they work with one or more organizations that use the file-transfer tool built by Progress Software.

As a result of its attacks, the Russian-speaking Clop ransomware group has stolen data that includes personal details for at least 41 million individuals, based on the data breach notifications issued so far by affected organizations, reported security firm Emsisoft.

The number of individuals known to be affected is set to rise, as many organizations appear to be still probing the incident. They include Missouri's Department of Social Services.

In a Tuesday data breach notification, the state agency said personal information for the state's Medicaid users appears to have been stolen from service provider IBM's MOVEit server.

"DSS was able to obtain a copy of the files believed to have been accessed and we are still analyzing the contents of those files," it said. "Due to the size and formatting of the files, it will take some time to complete this analysis."

Anyone who may have been affected is being notified by DSS, so they can watch for signs of identity theft. The agency has promised to again contact anyone who it determines is definitely a victim. "The information involved in this incident may include an individual's name, department client number, date of birth, possible benefit eligibility status or coverage, and medical claims information," DSS said.

Clop Likely Timed Attack for US Holiday

Clop unleashed its highly automated mass attack around May 27, likely timed to take advantage of the U.S. Memorial Day holiday weekend. How the group came into possession of a zero-day vulnerability in Progress Software's software remains unknown. This is the fourth time Clop has targeted users of file-transfer tools via a mass attack.

Progress first publicly disclosed and patched the SQL vulnerability, tracked as CVE-2023-34362, on May 31.

Multiple organizations fell victim to the MOVEit attacks not directly but due to their use of service providers. In addition to Missouri's DSS, they include National Student Clearinghouse, which works with more than 3,500 colleges and universities in the U.S. and which has data on 17.1 million current postsecondary students.

Another widely used service provider and MOVEit user is PBI Research Services, which helps financial services firms comply with regulatory requirements, including identifying policyholders who are deceased as well as their beneficiaries.

Ransomware incident response firm Coveware estimated that Clop may have earned $75 million to $100 million via a few very large ransom payments from bigger victims in the early days of its campaign.

In June, Clop began posting to its data leak site the names of victims who declined to pay a ransom. The group has also been leaking data it stole from some organizations, although it claims to have deleted any information it stole from government entities.

Top 10 Organizations With Most Victims

Organization Individuals Affected
Maximus Inc. 8 million to 11 million
Louisiana's Office of Motor Vehicles 4.6 million to 6 million
Oregon Driver & Motor Vehicle Services 3.5 million
Teachers Insurance and Annuity Association of America* 2.63 million
Genworth* 2.5 million to 2.7 million
Performance Health Technology 1.7 million
Wilton Reassurance Co.* 1.48 million
Milliman Solutions LLC* 1.28 million
Allegheny County 967,690
F&G Annuities & Life/Fidelity & Guaranty Life Insurance Co.* 873,000
*Incidents resulting from the MOVEit breach of PBI Research Services (Source: KonBriefing)

Sometimes data gets leaked via Clop's own dark web site. In other cases, the group has released stolen data via BitTorrent files. While these are decentralized and difficult to shut down, it's not clear how widely seeded and thus available they might be.

In some cases, Clop has also created dedicated websites for hosting the stolen data - notably for Aon, EY, Kirkland and TD Ameritrade - although these remained online for very little time, Bleeping Computer reported. Whether these sites were knocked offline via law enforcement action, legal takedown notices or distributed denial-of-service attacks isn't clear.

In recent days, Clop has threatened to dump all stolen information for victims who didn't pay a ransom, starting on Tuesday. "You data is going to publishing on clearweb and Tor and for large company we also create clearweb URL to help google index you data," Clop threatened in grammatically challenged English on its Tor-based leak site. "Also all data go on torrent and speed of download is very quick. You not hiding more."

Based on Clop's previous practical challenges with leaking so much stolen information, its latest claims may be empty bravado.

More Lawsuits

Victims of the MOVEit campaign have collectively filed multiple federal lawsuits seeking class action status against breached organizations.

In late June, residents of Louisiana who fell victim when their data was stolen from the state's Office of Motor Vehicles, filed a lawsuit against New Bedford, Massachusetts-based Progress Software. Plaintiffs accused the vendor of failing "to properly secure and safeguard" individuals' personal data, leaving them at increased risk of identity theft.

Last month, plaintiffs filed two lawsuits against Johns Hopkins University and its Johns Hopkins Health System, seeking monetary damages and injunctive relief requiring the organization to improve its security practices.

Members of the California Public Employees Retirement System - aka CalPERS - filed a lawsuit against CalPERS service providers Pension Benefit Information - aka PBI Research Services - and The Berwyn Group.

Similar lawsuits have been filed in recent days against other organizations that used MOVEit and were hit by Clop, including the Teachers Insurance and Annuity Association of America or TIAA, the University of Rochester and Maximus Federal Services.

Aug. 11, 2023 07:30 UTC: This story has been updated to include the latest count of affected organizations and victims from KonBriefing and Emsisoft.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.