Number of Victims Breached Via MOVEit Zero-Day Keeps ClimbingVictim Count Is 378 Organizations, 20 Million Individuals - and It's Likely to Rise
How bad is the breach of the MOVEit zero-day to businesses, government agencies and their customers? The short answer is that the known fallout from the Clop ransomware group attack already looks bad and keeps getting worse as ongoing investigations add to the victim count of 20 million people.
The Clop - aka Cl0p - ransomware group has claimed credit for attacks targeting Progress Software's widely used MOVEit file transfer software. The group targeted a zero-day vulnerability in the software, allowing it to access the software and steal data. Most of the attacks appear to have occurred on May 30 and May 31.
Progress patched the zero-day vulnerability on May 31, blocking further exploits. Before then, Clop had successfully stolen data from an as-yet-unknown number of organizations, affecting an unknown number of individuals.
As of Tuesday, security firm Emsisoft's count stood at about 378 organizations known to be affected, with personal data for 20 million individuals known to have been exposed. Fewer than 10% of breached organizations have quantified how many individuals' personal details were stolen.
While Clop has previously launched ransomware attacks, its MOVEit campaign appears to only involve data exfiltration.
Clop has been posting additional victims to its data leak site on a daily basis, typically in batches of 10. When an organization gets posted to Clop's site, it typically means the victim declined to pay a ransom. How many organizations did pay a ransom to avoid seeing their name get listed - and for a promise their stolen data would be deleted - remains unknown.
Recently listed victims include manufacturer ITT, Allegiant Air and American Airlines, Ireland's Commission for Communications Regulation, cosmetics giant Estée Lauder, communications equipment manufacturer Sierra Wireless, software firms Bluefin Payment Systems and Ventiv Technology, and TJX Companies, which runs T.J. Maxx, Marshalls and other stores.
British media regulator Ofcom has also been listed on Clop's site. The regulator disclosed last month that MOVEit hackers had stolen "a limited amount of information about certain companies we regulate - some of it confidential" - along with the personal data of 412 employees.
Clop claims to have deleted any information it stole that pertains to government agencies. "If you are a government, city or police service do not worry, we erased all your data," the group claims on its data leak site. "You do not need to contact us. We have no interest to expose such information."
Other recently disclosed victims include the universities of Alaska, Colorado, Dayton, Delaware, Georgia, Idaho, Illinois, Loyola, Missouri, Oklahoma, Rochester, Southern Illinois, Temple, Utah, Wake Forest, Washington State, Webster and Worcester State, based on breach reports tracked by cybersecurity research firm KonBriefing.
Vitality Group International, which offers a well-being platform, issued a breach update Monday saying it has informed about 2,800 individuals that their name or another personal identifier was exposed, along with their Social Security number. The company said it is offering 24 months of Experian credit monitoring and identity theft protection services to all affected individuals.
Victim Count Keeps Climbing
Expect the number of affected organizations and individuals to keep rising, as organizations' MOVEit investigations continue.
Breach probes by multiple service providers are underway and will likely lead to more knock-on breach reports from their customers. Such investigations appear to remain underway at National Student Clearinghouse, which works with 3,600 colleges and universities - at least some of which have reported that they're still waiting to hear if they were affected by NSC's MOVEit breach.
Investigations also are underway at Teachers Insurance and Annuity Association and population management firm PBI Research Services, which works with numerous financial services firms.
PBI customers that have confirmed their data was breached include Fidelity, Genworth Financial and the California Public Employees' Retirement System, which manages the largest public pension fund in the U.S., among others.
On Friday, PBI alerted the U.S. Department of Health and Human Services to a breach involving about 1.2 million individuals. This may be the same data breach disclosed Monday by financial services firm Milliman Solutions, which reported that individuals' Social Security numbers had been stolen.
Milliman Solutions said PBI is working with Kroll to "provide credit monitoring, fraud consultation, and identity theft restoration services" to all affected individuals for 12 months.